Into the Breach: What Directors Need to Know
The war that cyberattacks are waging against entities of all size requires vigilance on the part of boards of directors, as well as corporate leadership, to safeguard data from multi-pronged attacks by myriad enemies with unknown capabilities.
That knowledge gap between these attackers and many directors can translate to an inherently uneven battlefield that forces directors to adopt a “hope for the best, prepare for the worst” mentality, an approach Vinson & Elkins partners Jessica Heim and Devika Kornbacher explored during a November 17, 2021, webinar, “Into the Breach: What Directors Need to Know.”
The event, sponsored by V&E, was part of a series of virtual programs organized by the Women Corporate Directors Foundation to help its members navigate an information-security environment with ever-growing risks and a thicket of regulations that never quite keeps pace with them.
Along with Heim, a partner in V&E’s Government Investigations & White Collar Criminal Defense practice, and Kornbacher, who leads the firm’s Cybersecurity & Data Privacy practice and the firm’s Technology Transaction Team, participants included Myrna Soto, CEO of Apogee Executive Advisors and a director of companies including CMS Energy/Consumers Energy and Spirit Airlines, and Chenxi Wang, the managing general partner of Rain Capital and a member of the Board of Directors for MDU Resources (NYSE: mdu), strategic advisor to SC Media and various security startups.
Following are six important takeaways from the event:
Look for rising demand for directors with information-security expertise: While many companies don’t yet assign responsibility for cybersecurity to a particular board member, markets are increasingly pressuring them to do so. In the meantime, cybersecurity can be covered under the umbrella of enterprise risk management, for which all members bear responsibility to shareholders. The role of director carries with it a fiduciary responsibility to shareholders, the panelists agreed, and there are a number of risk management efforts that require governance and oversight. While having a board member with a cybersecurity background is extremely helpful, it’s important for all members to have a fundamental understanding of how technology utilization could present inherent risks to the organization.
Watch for soaring insurance premiums: While managing insurance premiums isn’t the responsibility of the board, members should expect to see them increasing as cybersecurity threats proliferate and widespread breaches are publicized.
“I’ve seen it go up threefold over the past year for a lot of the companies I’ve worked with,” Kornbacher noted. “That’s not your job as director, but be asking. Look at that line item, and make sure that they’re ready for the number to increase and not just lowering your limit to keep the premium the same, because the exposure is also increasing exponentially.” Wang suggested scrutinizing the full ladder of the company’s insurance policies to determine how each can be leveraged to maximize coverage while managing cost. Board members have insight into the underwriting process, Soto noted, and can examine what types of information management provides to underwriters to get insurance quotes.
Create an effective cybersecurity-reporting structure: “When things go bad, the government comes in and asks a whole bunch of questions and one is, in addition to the board’s responsibility, whether the person within the company who is responsible has a direct line to the board or the committee” tasked with oversight, Heim said. While no regulations so far require a board member to be focused on cybersecurity, that may change, and some laws — such as New York’s Stop Hacks and Improve Electronic Data Security, or SHIELD, Act — already mandate the appointment of an organization staffer to serve as the cybersecurity program manager. Some companies have responded by designating lower-level supervisors, which Kornbacher advises against. Without a broad management view, they may provide formulaic reports that don’t give board members needed information, she said, and they may also lack a direct line of communication with the board.
Ask for real-time information-security data: “At the director level, you want to ask for types of data that indicate the maturity level of the security program of your company,” Wang said. She recommends comparing that data with industry benchmarks, to the extent they’re available, which will help identify gaps that the board can provide resources to correct. Good cybersecurity managers report trends in incident frequency and type, especially when questioned. “If you’re not hearing things like, ‘We’ve had a number of discoveries’ or ‘The following has happened,’ and the response instead is, ‘We’re good’ or ‘We have this,’ it’s a red flag,” Soto said. “Programs should be saying, ‘Here are the trends we’re seeing,’ and ‘Here’s what we’ve fought against.’”
Create and prepare for ransomware scenarios: Mapping a thorough incident response strategy in advance allows companies to make a reasoned decision on whether to pay demands of hackers holding their networks hostage, as happened to Colonial Pipeline in May, disrupting the U.S. gasoline market. The business paid millions to hackers affiliated with the group DarkSide, some of which was tracked and recovered by the FBI. The panelists stressed that now is the time to be going through those scenarios. Once you have an incident take place, it’s too late.
While Soto mentioned that taking a stance of not paying ransoms disincentivizes such attacks, she acknowledged that how the organization responds has to be determined by its status and whom it serves. Incident planning should include a recovery strategy as well as response options, she added.
Position yourself: victim, vindicator or villain: While no company can be bulletproof, building a thorough cybersecurity system, keeping it updated and training employees, executives and directors will help maintain stakeholder loyalty if a breach occurs. An organization that can show it made its best effort to keep information secure and justify its pre-breach protocols will always be on a better footing than an organization that didn’t invest in combating the threat. The Securities and Exchange Commission, which regulates publicly traded companies, has made clear that it doesn’t accept claims of corporate victimhood at face value, Heim pointed out. If a breach occurs, the agency “is going to be looking very, very closely at all the steps the company is taking, both leading up to the incident and the steps that were taken afterward,” she said. Beforehand, companies have the opportunity to position themselves as one of the three V’s: victim, villain or vindicator, Kornbacher said: “You want to be one of the ones on either end,” she said of the three designations, “not the one in the middle.”
Overall, thorough planning and information gathering will enable boards to respond to cybersecurity threats and intrusions alike more effectively — and not only comply with new regulations but remain ahead of the curve, the panelists agreed.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.