Enterprise Risk Management at the Board Level Needs to Include Cybersecurity
23 March 2016
By Carol Wolf
Forget the IT department: responsibility for cyber security breaches is increasingly falling on the board of directors. That’s because part of the board’s job is to mitigate enterprise risk — and a cybersecurity breach can cause significant operational, financial, and reputational damage, exactly the types of things that affect shareholder value. Damage can occur in loss of reputation, litigation, regulatory action, technology cost, and a variety of other factors, all of which can impact a company’s stock price and even the longevity of the organization.
Historically, enterprise risk took the form of financial fraud and natural disasters. But the damage a cybersecurity breach can cause a company can be so significant that directors are starting to be held accountable. Lawsuits against directors and officers of public companies related to cybersecurity breaches are reaching the courts. According to the report Navigating the Cyber Security Storm by Weil Gotshal’s Paul Ferrillo, the board of directors of the retailer Target and Target itself were named in security class action lawsuits arising out of a 2013 cyber security attack, which cost the company about $300 million and resulted in more than 140 customer lawsuits of all types, not to mention litigation by Target’s banking partners. A 2015 cyber-attack against Anthem Healthcare resulted in at least 50 class action lawsuits, and more than 31 legal actions were filed against Home Depot after hackers invaded their system in 2014, according to Ferrillo’s report.
One lawsuit alleged that directors failed to take “reasonable steps to maintain their customers’ personal and financial information in a secure manner” and/or “breached their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties.”
Directors are beginning to understand the implications of cybercrime on their operations and their fiduciary duty in that regard. A 2014 survey of corporate boards by The Institute of Internal Auditors found that 65 percent of respondents saw cybersecurity risks as high and likely to increase – as more business functions are moved online the cost of cybercrime will only increase. Yet, only 14 percent said their board was actively involved in cybersecurity preparedness even though 58 percent agreed directors should be more actively involved.
A study of 252 companies by the Poneman Institute and Hewlett Packard Enterprise Security showed that one single cybercrime incident in the United States costs companies on average $15.4 million. And the number of successful attacks has jumped 46 percent in the past several years. There were about 99 reported cyber security breaches in 2015, up from 68 such occurrences in 2012, according to the study. A report by Mcafee found that cyberattacks are annually costing the world economy about $400 billion.
All of this means that directors will need to devote more time to educating themselves on the topic of cybersecurity and to understanding the strategic options they have available without becoming involved in the day-to-day operations of the IT department, Ferrillo said. Directors should make sure that enterprise risk management policies and procedures put in place by managers include cybersecurity and are consistent with the board’s appetite for risk. Likewise, directors need to monitor these policies to ensure they are operating properly. Failure to do so could put the company, board members, as well as shareholders, needlessly at risk.
Next week, we’ll take a look at the correlation between cybersecurity, reputation and shareholder value.