Imagine you are the IT systems administrator of a large corporation. Coffee in hand, you sit down one morning and log in. You receive a message that there has been an intrusion into the corporate database, a large amount of sensitive data has been stolen, and your backup in the cloud has been compromised. BUT “U R Datta WilL B REstoReD” once you pay “BiTCoiNS U.S.$50,000” to the anonymous cyber-extortionists. If you refuse, your data will be sold or publicly released. You are instructed not to involve police. The amount demanded is short money, you notice. Better to pay and move forward than risk the potentially catastrophic consequences.
The value of the kidnapped data is immeasurable: trade secrets, client and customer information, personal financial information, compromising emails between top executives. The list goes on. You owe a duty to all of these stakeholders to protect the company’s most sensitive information and to resolve this crisis with the least damage possible. Should you quietly pay the ransom and hope the extortionists return the company’s crown jewels? Or should you take a hard line, call the authorities, and refuse to submit to cyber terrorist threats that may or may not be real, lest you become a compliant target for future extortions?
Those at Banque Cantonale de Geneve likely considered these gut-wrenching questions when they were victimized by hacking group Rex Mundi. On January 9, 2015, Rex Mundi demanded 10,000 euros in exchange for hijacked emails. The bank refused, and Rex Mundi subsequently released the data to the public. Fortunately, it turned out that the leaked data (the hackers were semi-bluffing) consisted only of clients’ inquiries, not accounts. However, the damage to the bank’s reputationwas immeasurable. It had a “reputation for helping clients conceal information from tax authorities” and had just struck a deal with Swiss authorities to pay fines for helping wealthy Americans avoid taxes. The extortionists struck when the bank’s reputation was already on the line and the resulting reputational damage arguably may have been worse than had truly sensitive information been released.
So how can companies protect themselves from cyber extortion and how should they respond to such threats?
Companies should start by assembling a data breach response team consisting of the relevant personnel, starting with IT/technical, legal, forensic, and PR professionals. This group must convene, anticipate, and prepare responses to potential data breach, cyber extortion, hacktivist and other nightmare scenarios. There are two critical steps companies can take to embark on this process.
Identify and protect the company’s crown jewels—the most sensitive data—and ensure that information is safeguarded to the maximum extent possible. This means developing a comprehensive risk management plan that includes robust border control as to all points of entry, including within your own company as well as third party vendors and business partners with network access. There also must be active network monitoring for external intrusions but also unusual activity within the network. More and more, hackers are lying in wait within the system, plotting their attack and exit, deviating from the traditional “smash and grab” route of simply stealing personally identifiable information and then receding into the nether regions of the dark web. Password protection is no longer enough, meaning that companies need to employ multi-factor identification with constantly changing access codes. There also needs to be fortress-like back-up and tested disaster recovery systems, regular penetration testing and all attendant good cyber hygiene practices.
The sad truth is that you need to assume that whatever you do to protect the crown jewels is not going to work. Your defenses, no matter how robust or state of the art, will eventually be compromised. Begin to plan accordingly. For the cyber extortion exercise, just like every other significant risk, company management needs a well thought-out plan. The dilemma of “pay or don’t pay” needs to be debated internally in advance, and the response options need to be clearly laid out. Decisions, tradeoffs, and pros and cons cannot be discussed for the first time when there’s a gun pressed to the company’s head.
You will quickly find that there is no win/win answer. The best option is to choose the least damaging of the bad options based on all the facts and circumstances. Policies like “Never negotiate with terrorists” and “Never trade arms for hostages” all sound good on paper until the terrorists kill the hostages, or in this case, destroy—or, perhaps worse, publicly release—the kidnapped data.
Unfortunately, cyber extortion happens all the time and frequently goes unreported. If you cave and pay, you may become easy prey. If you don’t pay the ransom and instead go to the authorities, you may suffer economic consequences far greater than the often short money demanded in the first place. These evolving forms of cyberattack are threats that can never be eliminated. The best defense is proactive, thoughtful and intelligent preparation on all fronts.
Mark E. Robinston serves as co-chair of the Mintz Levin’s national white collar defense and investigations practice and is a nationally recognized authority in government investigations and enforcement and cybersecurity defense. Mark represents, advises, and defends public and private sector clients in connection with internal investigations, regulatory enforcement actions, commercial litigation, and large-scale data breaches. Cynthia J. Larose is chair of the Mintz Levin’s Privacy & Security Practice and has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions. The authors acknowledge the work of Mintz Levin litigation associate Jane Haviland in researching and helping to develop the content of this article.
Last year, NACD launched its fourth Advisory Council on Risk Oversight—the first of our councils not dedicated to a specific key board committee. In fact, less than 10 percent of public companies even have a committee dedicated to risk oversight. This advisory council was formed as the result of a simple observation: the responsibility of risk oversight has expanded significantly in the last several years. This council is not lacking for discussion topics—the nature of potential risks to an organization is evolving seemingly by the day. Directors need to know the strategies in place to not only mitigate but capitalize on the risks currently facing the company, and those predicted to present challenges in the future.
But that just accounts for what is on the board’s radar. At the second meeting of NACD’s Advisory Council on Risk Oversight held in collaboration with PwC and Gibson Dunn, the discussion went beyond current and predicted risks to the challenges of disruptive technologies and innovation. Increasingly, the most severe shocks have been largely unpredictable: extreme weather, the confluence of multiple events, or innovation that upturns the industry. As one delegate observed: “We haven’t spent much time on the [risk of] ‘I will eat your lunch with a completely different approach.’ Companies don’t sit down and think about who is going to attack from a completely different angle.”
In their oversight capacity, directors cannot constantly monitor the more detailed aspects of the business. Nor can “you anticipate what you don’t know.” Nevertheless, several delegates suggested that the appropriate risk oversight processes in place, coupled with a resilient culture that efficiently reports risks up to the board, can support directors in mitigating known and unknown risks. The meeting, captured in the 2013 Advisory Council on Risk Oversight Summary of Proceedings, focused on areas critical to effective risk oversight processes. These include:
Board processes and people. It is critical that the board not only has the right talent, but engages it fully. Directors should have a “real and thorough” understanding of the business to be able to effectively discuss both strategy and risk with management.
Recognizing asymmetric information risk. While the board has to be comfortable with the reality of information asymmetry, directors should establish tolerance levels for the level of asymmetric risk they are willing to bear, and look for signs of when this risk has become too high.
Engaging with management involved in risk reporting. For companies with a chief risk officer (CRO), that person can keep an “inventory” of risks throughout the organization. Additionally, directors can ask internal audit to identify what it believes will be “hot-button” risk areas.
Linking strategy to risk. The board’s oversight of risk should begin with an assessment of the company’s strategy and its inherent risks, which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept.
Allocating the work of risk oversight. The significant increase in risks facing the board necessitates defining who will act as an “air traffic controller”—allocating risk oversight responsibilities.
Leading practices for risk oversight—including allocation of work and the development of a risk strategy document—will continue to be the focus points not only for this advisory council but also NACD’s Directorship 2020 initiative. To download the full summary of proceedings, click here.
Underlying NACD’s Directorship 2020 initiative is a single observation: capitalism—and the role of the director—is changing. There are the more obvious forces behind this shift: vocal shareholder activists, a steady stream of regulation impacting the boardroom, emerging technologies, and the increasingly global marketplace; however, a quieter influence is also taking hold of capitalism: looking beyond the bottom line.
Since their formation, the ultimate goal of corporations has been to generate profit, and therefore shareholder return. As such, total shareholder return has served as a universal metric for investors when analyzing a company’s performance. Recently, several companies have been profiled for their use of “capitalism with conscience.” Panera Bread, for example, has established a number of locations which allow the customer to “pay what you can”; Intel not only links compensation to sustainability but ties employee bonuses to environmental metrics; and Office Depot announced this week the second round of its national “Green Business Challenge”— a public-private partnership launched in 2010 with ICLEI USA. These companies represent just a fraction of those embracing this “softer” side of capitalism. The list of companies upping the ante with respect to sustainability efforts is rapidly growing to include General Electric, Nordstrom, Microsoft, Starbucks, and more.
Observing this trend, Northwestern University Professor and former CEO and Chair of Bell & Howell Bill White posed this question at the recent NACD Directorship 2020 symposium in New York City: should we rename “total shareholder return” to “total stakeholder return”? Although attendees did not commit to a change in nomenclature, they generally agreed that stakeholder return was a necessary consideration in the boardroom. In fact, a key takeaway from the event was a recommendation that the board encourage metrics that foster stakeholder engagement as a strategy for risk mitigation.
Establishing a metric tied to sustainability is not entirely new. In 2010, NACD’s Blue Ribbon Commission on Performance Metrics recommended boards consider non-financial metrics in addition to the more traditional financial metrics, including categories such as community engagement, environment, health and safety, and corporate social responsibility. Additionally, earlier this year NACD Directorship magazine featured a comprehensive primer to sustainability in the boardroom.
Yet many still view sustainability and shareholder return as an “either/or” situation: attention to the former detracts from the latter. At the Bricks and Sticks Sustainability Symposium—an event produced by the U.S. Chamber of Commerce’s Business Civic Leadership Center—panelists representing the various stakeholders involved in public-private partnerships observed that today it is instead a “both/and” scenario. Sustainable long-term economic growth is dependent upon continuing environmental and stakeholder health, and vice versa. Directors play a critical role, according to Yalmaz Siddiqui, senior director of environmental strategy for Office Depot. The organization’s successful Green Business Challenge was in part driven by a strong message from the boardroom encouraging increased focus on sustainability.
Innovative and sustainable solutions for economic growth often require far-reaching and long-term thinking, which can pose a challenge for boards hindered by a more immediate, short-term focus on the bottom line. At upcoming symposiums in Chicago and Los Angeles, NACD Directorship 2020 will continue to explore how—and with which metrics—the board can oversee this changing facet of capitalism.