Recently, IBM surveyed more than 700 C-Suite executives in 18 industries and 28 countries about their views on cybersecurity. Ninety-four percent of those interviewed believe that their respective companies will experience a cybersecurity incident in the next two years. Despite such widely-held acceptance of the inevitability of an incident, only sixty-five percent of C-Suite executives expressed a confidence in their cybersecurity plans. Sixty percent of the Chief Finance, HR, and Marketing Officers surveyed expressed their feeling that they are the least involved in cybersecurity measures, even though they are the individuals responsible for data most coveted by cybercriminals.
Another takeaway from IBM’s research shows that transparency and collaboration are important tools in presenting a unified front against cybercriminals. Yet sixty-eight percent of C-Suite executives admitted their reluctance to externally share information about their cybersecurity incidents. Perhaps the more technically savvy Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and Chief Risk Officers (CROs) view their organizations’ cybersecurity measures more confidently than do the CEOs. Chief Marketing, Finance, and HR Officers tend to have less confidence in their organizations’ cybersecurity.
One possible explanation for these differing levels of confidence could be lack of understanding and communication across the C-Suite regarding the organization’s cybersecurity practices. As IBM’s research points out, “[a]lignment across the C-Suite, particularly between IT and the line-of-business owners is increasingly important to building a mature security posture.” However, the majority of C-Suite participants surveyed indicated a lack of collaboration across the C-Suite regarding their companies’ cybersecurity plans.
The C-Suite must balance their organizations’ interests in ensuring robust information security, on the one hand, while furthering their organizations’ business objectives and profit goals, on the other. When it comes to cybersecurity, a lack of collaboration across the C-Suite and with industry peers, a lack of transparency regarding cybersecurity incidents, and a reluctance to incur significant costs to overhaul legacy IT systems or create more robust information security departments will create major issues for the C-Suite.
Perhaps the spate of high profile shareholder derivative actions might have the C-Suite wondering whether they’re “damned if they do, damned if they don’t” when it comes to cybersecurity. Plaintiffs criticize C-Suite action on two fronts. First, they attack the steps taken and internal controls implemented to prevent data incidents from occurring to begin with, and, second, they attack how the directors and officers responded to the incident, such as their internal investigation and remediation efforts, and how candid they were about the circumstances of the data incident.
At the heart of all corporate decision-making is the obligation to act in the best interests of the company, and directors and officers who do are generally not personally liable for their missteps or the corporate failures that happen on their watch (the Business Judgement Rule). Even with C-Suite executives protected by the business judgment rule, however, plaintiffs have not been deterred in their attempts to hold directors and officers personally liable for the fallout from massive data incidents.
The first notable case against the C-Suite following a data incident was In re Heartland Payment Systems, Inc. Securities Litigation. In short, the plaintiffs alleged that the C-Suite concealed a cyberattack. The court dismissed the lawsuit, recognizing that “the fact that a company faces certain security problems does not of itself suggest that the company does not value data security.” Central to the court’s analysis in Heartland were the actions taken by the CEO and CFO before and after the data incident.
Similarly, pre- and post-incident conduct was at issue in a major retailer’s shareholder derivative actions. In response, the retailer formed a special litigation committee, comprised of independent experts, who issued a report after a 21-month investigation. The special litigation committee recommended that claims not be pursued against any officers or directors. Fortunate for the retailer, Minnesota, where it is headquartered, gives great weight and deference to the recommendations of a special litigation committee, creating an almost insurmountable hurdle for plaintiffs to overcome. As a result, the federal district court dismissed the derivative action.
Ultimately, company management is responsible for implementing adequate cybersecurity controls, ensuring periodic review of those controls and IT infrastructure, and responding to a cybersecurity incident when it happens. What data has shown is that even the most sophisticated cybersecurity controls can be compromised. If Heartland is any predictor, the fact that an organization suffers a data incident doesn’t necessarily mean that its security controls were lax or its management was negligent. Nevertheless, if a major data incident occurs, the C-Suite and boardroom can be assured that their actions both pre- and post-breach will be closely scrutinized.
Moreover, being immune from personal liability under the business judgment rule doesn’t always mean that directors and officers will be immune from personal accountability. The C-Suite and boardroom are feeling the heat from data incidents in the form of reputational damage to the organization, significant costs associated with investigating and remediating the effects of a breach, and the round of lawsuits that ultimately follow—which are expensive in their own right and, even worse, keep the incident in the public eye. The fallout from data breaches can even lead to the ouster of some in the C-Suite. The major retailer’s CEO and CIO both resigned in 2014.
What’s clear about the current cybersecurity landscape facing the C-Suite today is that cybersecurity is no longer just an IT issue, nor is it defensible to be naïve about cybersecurity. In fact, the more data incidents occur and are in the news, the more incumbent it is on the C-Suite and boardroom to stay abreast of what their organizations are doing to prevent and respond to cybersecurity incidents. At a minimum, there should be open communication about cybersecurity across the C-Suite and a basic understanding of what’s being done and who’s responsible. A diligent C-Suite and boardroom should be cognizant of their companies’ cybersecurity risks, routinely discuss those risks, and rely on and follow the advice of experts to mitigate those risks.
Christopher Wiech,
ChristopherWiech@leclairryan.com