The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.
A recent discovery ruling in the Target Corp. data breach litigation has raised the stakes for corporations and their officers and directors when faced with a cyberattack. The ruling, issued on May 27, 2015 by Magistrate Jeffrey J. Keyes, requires Target to disclose details of similar breaches between 2005 and 2010, including the time frame for the attack, the methods used to access information, measures the company considered and instituted to prevent future breaches, and the extent of the financial fallout.
The Target breach grabbed headlines following the 2013 holiday season as news leaked that hackers had installed malware in Target’s security and payments system and captured the credit card information of approximately 70 million shoppers. All too predictably, a series of lawsuits followed that have been consolidated before a federal judge in Minnesota.
This discovery ruling—the most recent development in the Target data breach cases—opens the door to greater scrutiny of corporate cybersecurity decisions and focuses on how past breaches were handled by both senior management, and importantly, by corporate boards.
While the ruling technically applies only to the cases brought by the financial institution plaintiffs in the Target case—banks that had issued the now-compromised credit cards—plaintiffs can be expected to seize upon this ruling and use it as a tactic to argue for similar discovery in other data breach cases. Of particular note are the consequences in class actions and in shareholder derivative suits, where the conduct of corporate leaders is front and center. The ruling opens the door to tough questions about corporate behavior: how were past breaches handled? Were the breaches adequately remediated? Were reasonable internal controls put in place to manage future cyber risks? And, perhaps most importantly, were “red flags” or early warnings of the breach ignored?
Cyberattacks are only becoming more brazen and more prevalent, and data breach litigation is on the rise. Plaintiffs in these suits will use the most recent Target ruling to argue that a company’s actions need to be evaluated not only with respect to the existing breach but also with respect to past, or even merely attempted, breaches.
The decision also serves as a reminder of what companies should already be doing. Specifically, there are at least three steps companies should take with respect to their cybersecurity, if they have not already done so.
First, companies should have a data incident response plan in place before a breach occurs. A company’s plan should take into account what kinds of data need to be protected, who is likely to try to steal or acquire that data, and who the relevant stakeholders are in the event the data is lost or stolen. Companies should also have their outside counsel and data forensics teams selected and on speed dial.
Second, companies should evaluate their insurance needs for cybersecurity issues. A standard commercial general liability (CGL) policy may ultimately cover some data breach claims, but it could require time and money to establish that coverage, a lesson Sony learned the hard way after North Korean hackers infiltrated its systems. Sony lost its coverage dispute with its CGL carrier at the trial court and settled the dispute before the appeal was heard. A specialized cyber policy can help avoid a situation like Sony’s. In addition, public companies should consider what disclosures they make to investors about cybersecurity risks in light of their insurance coverage.
Third, knowing that plaintiffs in other data breach cases will likely seek discovery of prior breach incidents, companies must adopt and document clear policies that outline the steps being taken to protect sensitive data, along with their responsibilities and plans for disclosing breaches. They should clearly define the roles of senior management and directors and specify the frequency with which security policies are updated.
Cyberattacks are not going away. Companies that proactively adopt sound cybersecurity policies and practices will find it far easier to defend themselves when their businesses come under attack.
Craig A. Newman is a partner at Patterson Belknap Webb & Tyler LLP and chair of its Privacy and Data Security Practice Group. Scott Caplan is an associate in the Privacy and Data Security Practice Group at Patterson Belknap Webb & Tyler LLP.
Innovative technology can be a differentiator as well as a disruptor in today’s marketplace. Technological advancements are rapidly compressing the half-life of business models and industries that historically have not been viewed as dependent on technology are now being transformed by it and their business models can no longer function without these latest advancements. Consider Uber. The ability to book, track, and pay for a cab from a mobile device significantly differentiated this business from traditional taxi services. The bottom line is that technology is no longer a mere enabler.
At Protiviti, we often receive feedback from directors stating they do not have a sufficient understanding of the information technology (IT) risks facing their organizations. Furthermore, according to the 2014−2015 NACD Public Company Governance Survey, IT was the area with the least amount of satisfaction in terms of both quality and quantity of information received from management.
The board needs to understand IT as a critical enterprise asset, and the opportunities and risks associated with it must be communicated in a manner directors can understand. Directors instinctively know IT risks have increased in significance. Social business, cloud computing, mobile technologies and other developments offer significant opportunities for creating cost-effective business models and enhancing customer experiences. They also may spawn disruptive change, increased privacy and security risks, and further exposure to cyberattacks.
These changes present fresh challenges that create a moving target for companies to manage. While the velocity of disruptive innovation through emerging technologies is not as immediate as a sudden catastrophic event, its persistence of impact is potentially lethal for organizations caught on the wrong side of the change curve.
Add to all of the above the evolving relationship between the CIO and CISO and the board (or the supervisory board in a two-tiered board structure). These dynamics sum up the environment and expectations that these executives face as they address boards now and in the future, placing their interactions with the board within a business model, strategic and/or risk context.
In many organizations, the chief information officer (CIO) and chief information security officer (CISO) brief the full board or the audit committee on the state of IT on an annual basis, if not more frequently. They can approach this briefing in three ways:
Within the context of the business. The CIO or CISO addresses how the business model leverages technology to deliver the products and services the company offers the marketplace and the opportunities and exposures resulting from disruptive change. The business context briefing answers questions such as:
Do we understand potentially disruptive technologies at an industry level? Are we ahead of the curve to the extent that we are able to integrate new technologies into the business on a timely basis?
Are emerging technologies being deployed effectively to achieve our business objectives (e.g., achieve customer loyalty, improve quality, compress time, reduce costs and risks, and drive innovation)?
Are we positioning the company’s operations to anticipate and proactively drive the innovative change needed to secure sustainable competitive advantage?
What emerging technologies could alter the competitive landscape, customer expectations, and strategic supplier and/or distribution channel relationships within the value chain in which we operate? To what extent are our operations and currently deployed technologies exposed to disruptive change?
Are there aspects of our technological capabilities that we should be sharing with analysts, shareholders, and the general public? If so, are we sharing them? If not, why not?
Within the context of executing the strategy. The CIO or CISO articulates how strategic initiatives are driven by critical technologies and how the organization is facilitating the design and implementation of controls over these various technologies to ensure they perform effectively. The strategic execution context briefing answers questions such as:
What technologies are critical to implementing our strategic initiatives (e.g., growth, profitability enhancement, innovation, and process improvement)?
How are we ensuring that these technologies are functioning effectively?
How is the IT department collaborating with other functional units and the lines of business to ensure that an appropriate return on the organization’s investment in these technologies is being realized?
What challenges are we encountering in implementing these technologies to execute our strategy? What is the potential impact of these challenges on the success of our strategic initiatives?
Do we have the reliable and timely information and data we need to execute strategic initiatives?
Within the context of mitigating risks. The CIO or CISO uses a broader business view to identify specific risks that either may be a result of technology or are mitigated partly through the application of technology. The risk mitigation context briefing answers questions such as:
What are the most significant risks arising from IT, and how do they affect the business, including its reputation and brand image? Have we assessed our tolerance for these risks?
Are we mitigating the critical risks to an acceptable level? How do we know?
What critical business risks are we mitigating using a risk response that relies upon an important technology component? Is this technology component performing effectively? How do we know?
The objective is to provide a briefing on IT matters that resonate with directors across all of the above contexts:
The business context: Are we managing disruptive change?
The strategic context: Are we maximizing value contributed and return on investment?
The risk mitigation context: Are we managing the business and reputational impact of our risks?
Two principles underpin this discussion: (1) business objectives are also IT objectives, and (2) IT risks represent business risks. Using these principles, the above contextual perspectives provide insights to CIOs as to how they should communicate with boards and to board members as to the information they should expect from CIOs.
Citing and then speaking to the above contexts in a crisp, nontechnical manner can facilitate an ongoing board dialogue. In this regard, the CIO or CISO should:
Demonstrate an understanding of the business. Using the appropriate context, drill down to the relevant IT-related objectives, plans for achieving objectives, organizational capabilities to execute plans, and measures by which to gauge progress. In today’s world, technology can facilitate and expedite business transformation and growth through technological innovation (the business context), but it also can destroy reputations if not adequately protected and controlled (the risk mitigation context). Board members should be counseled on both of these interrelated contexts.
Focus on the board’s needs. The board has little interest in the intricacies of how the CIO or CISO organization is run and managed. Don’t go there unless requested.
Address business impact and metrics, not just IT impact and metrics. Provide an end-to-end view and focus on business consequences. For example, consider the following metric: “99 percent of our systems are patched within 10 days.” This metric leaves unaddressed the question as to the sensitivity of the data and/or business consequences of service failure of the other 1 percent of systems.
Target the audience. Understand the purpose of the briefing. Ask the board committee chair for direction. Ask people who have presented to the board for insight as to the background and personalities of the various directors.
Keep it pithy. Identify the key message points directors should take away, and focus on supporting those points. Share sophisticated knowledge judiciously. Allow time for questions. Expect to be asked to expedite your briefing if it is scheduled late in the day.
Boards need to clarify their expectations of the CIO and CISO. What are the directors’ needs, what do they not understand, and what IT issues and related business risks concern them the most? More important, what context(s) do directors want these executives to address when presenting on IT matters? In addition, directors need to be realistic with their expectations of CIOs and CISOs due to the natural complexity of IT. Accordingly, the allotted presentation time should be commensurate with directors’ expectations of the briefing.
Questions for Boards
Below are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Is the strategy-setting process influenced by the opportunities presented by technology and the potential to lead and/or respond to disruptive change? Alternatively, is technology narrowly viewed as a strategic enabler?
Does the board devote sufficient time to IT matters, including related opportunities and risks, as well as the organization’s capabilities and processes in managing those opportunities and risks?
Is the board satisfied with the CIO’s periodic communications? If not, has the board conveyed its expectations to the CIO so that future communications are on point?
Is the CIO organization effective in supporting the changing needs of the business and monitoring technology innovations, including how new technology can be deployed by competitors (or employees) to create disruptive change? Does the CIO assist the board in understanding these issues?
Given growth in the number of cyber threats confronting organizations, does the board have an active dialogue with the CISO on incident response preparedness?
For significant IT projects, does the board understand the underlying assumptions about how each project achieves strategic goals, as well as how success will be measured? Is there follow-up to ensure that each significant project delivers on promises made?