Cyber crimes continue to be costly for organizations. A recent study reveals that the average annualized cost of cyber crime increased by 20 percent to $15 million this year. Another study estimates the total cost of cyber attacks globally over the past 12 months was at least $315 billion. Yet surveys indicate that as much as one-third of boards of directors do not engage in cyber risk discussions. Another 26 percent of corporate boards receive security presentations only once a year. According to various reports, there are several reasons why corporate boards have been reluctant to take on cybersecurity:
- Cybersecurity is merely one of the many topics on boardroom agendas
- Cybersecurity is traditionally regarded as an IT issue
- Cyber attacks mainly target the defense or financial services sectors
- The risks and the pay-offs of cybersecurity investment are difficult to measure
While the above reasons may have been tolerated in the past, new realities demand a new set of responsibilities. As cyber threats become one of the most significant business risks facing organizations today, board members are increasingly being held accountable. Indeed, as SEC Commissioner Luis Aguilar emphasized in a 2014 speech, “… boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” On that note, the evolving regulations alone provide a strong incentive for boards of directors to take on more active roles regarding cybersecurity matters.
The infamous Target hack and the two subsequent lawsuits provide illustrative examples of evolving regulations. In the first lawsuit, the plaintiffs argued that Target’s management had committed a breach of fiduciary duty and wasted corporate assets. The plaintiffs in the second case also alleged a breach of fiduciary duty and waste of corporate assets, in addition to gross mismanagement and abuse of control. The common theme between the two was a belief by shareholders that the Target board failed to take adequate measures on cybersecurity matters. In fact, Institutional Shareholder Services, an advising company, called on Target to remove seven of the ten directors from the company’s Audit and Corporate Responsibility Committee. Though none of the directors were voted out, the incident illustrates how boards have a fiduciary duty toward shareholders to ensure cybersecurity.
The Wyndham Worldwide lawsuit and the following court ruling provides another important case. Following the company’s data breach, the Federal Trade Commission (FTC) alleged that Wyndham Worldwide violated Section 5 of the FTC Act. In other words, the company failed to employ reasonable data security measures necessary to prevent a breach. When Wyndham Worldwide argued by challenging the FTC’s authority to regulate data security standards, the courts sided with the FTC. The ruling, passed in August 2015, will likely have further implications on cybersecurity regulations and corporate board responsibility.
Besides lawsuits, the cost of cyber breaches also reflects on a boards’ fiduciary responsibility to preserve corporate financial value. Indeed, nine out of ten directors believe regulators should hold businesses liable if they don’t make reasonable efforts to secure data. A recent report highlights that the European Union’s Data Protection Directive, for instance, includes a proposal for fines up to five percent of a company’s global revenue. A KPMG report reveals that investors are increasingly challenging boards to step up their oversight of cybersecurity.
The impact cybersecurity matters can have on brand value increases the pressure on boards as well. According to Forrester Research, ““at least 88% of the S&P’s market value consists of goodwill and intangible assets, such as reputation, brand, innovation, processes, know-how, and customer experience.” The Ashley Madison data breach in July 2015 illustrates one such example. From the subsequent suicide of a New Orleans pastor to the resignation of the CEO of the hacked website, the incident reveals the power of cybersecurity issues on a company’s future.
To be sure, the recent high-profile breaches are bringing cybersecurity discussions to the forefront of the boards’ considerations. Veracode Survey reports that almost half of directors familiar with the Wyndham Worldwide lawsuit said the case has influenced their discussions on cybersecurity. The passing of the Cybersecurity Information Sharing Act (CISA) is one small indication that cybersecurity matters are finally making strides.
But the push for more cybersecurity discussion for boards does not imply that all members should obtain IT degrees. Boards can accomplish proper cybersecurity oversight by asking themselves three key questions:
- What are the latest cybersecurity threats, and how can they affect our company?
- What are our company’s strategies to mitigate the risks from evolving cyberattacks?
- What key trends should we be prioritizing at the boardroom level to perform effective risk management?
Importantly, corporate boards need to address the cybersecurity discussion the same way an audit committee approaches a company’s financial reports. A methodical, detailed, skeptical, and intelligent inquiry will be necessary in boardroom discussions on cybersecurity.