Fiduciary Liability Concerning Cybersecurity Risk and Loss
Cybersecurity is an issue that has slowly risen from an “IT matter” to a concern for businesses of every sector and size. Healthcare networks and corner stores alike are at risk from the rising tide of hackers and cybersecurity damages. Over time, we have seen the level of responsibility rise from the bottom to the top and today, even the board is facing fiduciary responsibility for potential cybersecurity losses.
Cybersecurity Rising Through the Ranks
What began as an IT concern in the background became an issue of awareness and prevention for the entire workforce. Then it grew from PSAs to workforce-wide training in data security maintenance.
However, consistently these programs have lacked involvement at the top level. Both C-suite execs and members of the board have often considered the issue of cybersecurity to still be a ground-level matter. That is, until billions are lost in regulatory fines and customer trust.
Today, cybersecurity isn’t just a matter for the techs or the rank-and-file employees. Many times in the news, companies are exposed to ransomware attacks and breaches. These have resulted in the theft of millions of private files containing both personal information and company secrets.
These attacks go beyond internal setbacks or public embarrassments; they put the organization at financial risk.
The Board’s Fiduciary Duty to Protect the Company from Financial Harm
The managing board of any organization has a fiduciary responsibility to prevent financial harm to the company. This requires a neutral, selfless approach to not only the visible finances but the influences that could negatively impact the company’s finances.
Boards are used to accepting responsibility for prudent management of company assets. They focus on projects that will increase the company’s potential for revenue, profit, and value-building. However, up until now, cybersecurity has not been considered a matter within financial concern – other than budgeting for a good firewall program. But cybersecurity has finally entered the risk profile considered a threat to a company’s financial stability by the board.
Some boards are ready for the change. Those who have already experienced a cybersecurity breach – even a small one – are seeing cybersecurity on the agenda more often. Boards are facing that overlooking cybersecurity can leave a large financial risk on the table.
The Risks Cybersecurity Poses to Organization Finances
There are several ways that cybersecurity breaches can put your organization’s finances at risk. The level of risk, however, is often inversely related to a hacker’s direct actions toward financial gain.
For example, a phishing email that convinces an employee to transfer money only loses the money transferred – and whatever it costs to re-train the staff to avoid phishing emails. A hack that steals billions of digital files might pose no immediate financial loss to the company, but the aftermath can cost billions.
In 2013, Yahoo was hacked and 3 billion accounts were compromised. It then faced at least 41 different consumer class-action lawsuits from both shareholders and Yahoo account holders. As a result, its purchase by Verizon was lowered by $350 million. With a sequence of follow-up breaches in 2014 and again in 2016, Yahoo soon saw a decline in trust, engagement, and dominance over internet communities.
A recent Forrester Consulting study found that 38% of companies and nearly half of surveyed executives find it difficult to attract new customers after a publicized security breach. However, shareholders are often provided the least accurate reporting on an organization’s cybersecurity risks and solutions.
Data Security Threats are Now Ever-Present
The risk of being hacked has also risen considerably over the last decade. Once, hacks were thought only to happen to a few large, targeted companies. However, the digital business world has expanded vastly since those notions were formed. Both our depth and breadth of protected data and the number of potential hackers has expanded beyond the typical idea of hacker risk.
Total reported malware infections in 2009 were 12 million. In 2012 that was 82 million. In 2018, it had lept to 812 million malware infections. Ransomware attacks rose by 350% worldwide in 2018. 1.5 new phishing sites (websites from which phishing emails are sent) are created every month. On average, a new organization fell victim to ransomware every 14 seconds.
In 2018, there was an average of 80,000 cybersecurity attacks per day and over 30 million attacks per year. The average cost per stolen data record in the United States is $225 per person.
This should come as no surprise given the current tech environment. Today, a 12-year-old with a VPN can download an open-source ransomware program and start sending infected emails. Unfortunately, even a 12-year-old with a well-written piece of malware can cost a company millions from a breach.
Mitigating the Fiduciary Risk of a Cybersecurity Breach
It is time for boards to take cybersecurity in hand. Because this is a financial risk and not just a logistical issue, the board is responsible for the organization-wide projects to reduce, control, prevent, and prepare for that risk.
In 2018, Marriott discovered that the Starwood guest reservation database had been breached since 2014. Data was stolen concerning over 380 million guests including names, mailing addresses, phone numbers, email, passport numbers, birthdays, genders, and travel information. Some also included encrypted payment card information. The company faced £18.4 million ($25 M) in GDPR fines from the UK ICO and customer trust in their cybersecurity protections was permanently impacted.
However, Marriott was also financially prepared for this disaster. According to Bloomberg Intelligence Analysts Tamlin Bason and Holly Froum, the cost of the breach totaled around $1 billion, but Marriott skated by losing only about $1 million. Why? For the simple sake of having ample cyberinsurance before the big reveal.
Cyberinsurance insures your company against fines and related costs from a data security breach. But it is also only the first step.
Board Actions to Prevent and Prepare for Cybersecurity Risk
It is time for boards to accept the fiduciary risk and responsibility of cybersecurity for their organization. The financial damage a breach can do and the likelihood of a breach today cannot be ignored. The last thing you want is to allow a breach to continue, like Yahoo and Marriott, so that millions more users are affected before the gates are closed.
Board members are experts in types of risk other than data security. They will need to consult with their security and IT executives to gain the insights needed for good decisions. This approach should be similar to how the board consults with their financial execs. With combined knowledge, boards can successfully create measures to meet cybersecurity standards set by the PCI and GDPR. It’s time to create your mitigation strategies to best address the fiduciary liability of cybersecurity risk.
To find further business and financial insights, contact us today.