Reproduced with permission from Corporate Governance Report, 16 CGR 132 (Nov. 14, 2013). Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com.
Cybersecurity is all the rage. It provides the plot to James Bond movies, headlines news reports and prompts presidential orders. Among other things, the cyber threat ''represents one of the most serious national security challenges [the United States] must confront.’’ The deliberations of corporate boards of directors should be no exception to the furor. This article examines the current status of cybersecurity standards, insurance for cyber risks, and how insurance may or may not inform a board's standard of care.
Cyber Concerns for the Board
Corporate boards of directors have a lot to worry about. Does the company have in place systems to ensure the company is protected against cyber threat? Are cloud-based data systems secure from breach? Are systems in place to ensure passwords are not compromised? That anti-intrusion software is patched? That encryption is robust? That the company is monitoring and evaluating the reliability of its employees? And if any of those subjects, as well as others, nevertheless leads to a problem, is there insurance to cover the company?
A board of directors' oversight obligations have been the subject of litigation in Delaware; those precedents are significant, so we will use that jurisdiction as an example. The Delaware Supreme Court has found that directors' liability for failing to exercise oversight is based on the concept of good faith, which is embedded in the fiduciary duty of loyalty. As such, directors may be liable if “(a) the directors utterly failed to implement any reporting or information system or controls; or(b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” In either case, directors may be liable if it is shown “that the directors knew they were not discharging their fiduciary obligations or that the directors demonstrated a conscious disregard for their responsibilities such as by failing to act in the face of a known duty to act.”
What does this mean for a board of directors in terms of its potential liability for failing to adequately secure a company against cyber threat? Recent developments in the cybersecurity space are likely to be germane.
Securing Critical Infrastructure
Despite the current gridlock in Congress, the Obama administration has actively focused on protecting the nation's “critical infrastructure” and has issued a Presidential Policy Directive and Executive Order on the topic, asking the Departments of Homeland Security, Commerce and Treasury to develop a program that manages cybersecurity risk. Presidential Policy Directive 21 (“PPD 21”) established a national policy on security and resilience for 16 critical infrastructure sectors, including energy and financial services. Specifically, PPD 21 directs the Executive Branch to understand the consequences of infrastructure failures, evaluate a public-private partnership, and develop a comprehensive research and development plan. Moreover, Executive Order 13636 - Improving Critical Infrastructure Cybersecurity establishes a voluntary set of security standards for critical infrastructure industries.
With the goal of establishing security standards, the National Institute of Standards and Technology (“NIST”), an agency of the U.S. Department of Commerce, hosted four workshops around the country seeking input from industry, academia and government regarding the development of a cybersecurity framework (“Framework”). A final version of the Framework is expected to be released early next year, but a preliminary Framework issued on Oct. 22, 2013 provides a set of general cybersecurity practices and core capabilities consisting of five functions--identify, protect, detect, respond and recover.
Additionally, the Department of Homeland Security (“DHS”), tasked with establishing a voluntary program to support the adoption of the Framework by critical infrastructure owners and operators (“Voluntary Program”), convened two workshops, attended by participants from the private and public sectors, in which cyber risk and insuring cyber liability were discussed.
Thus, we see two potential components of a cybersecurity standard and, therefore, a board of directors' standard of care. But the standard is a work in progress. The government continues to develop the Framework and determine how best to encourage critical infrastructure owners and operators to join the Voluntary Program. Insurance has been part of this ongoing discussion.
Tomorrow Part II: The State of Cyber Insurance
J. Wylie Donald, Partner, email@example.com
Mr. Donald counsels and litigates for clients on insurance coverage, environmental and products liability matters.
Mr. Donald has successfully pursued claims under property, general liability, trucking, malpractice, E&O and D&O policies against primary, umbrella and excess carriers, captive insurers, state guarantee funds, insurers-in-rehabilitation and reinsurers. He has tried cases and argued appeals in the state courts in New Jersey and Maryland, conducted private arbitrations and mediations, and argued motions in federal courts across the nation.
Full Bio (http://www.mccarter.com/en-US/J-Wylie-Donald/)
Jennifer Black Strutt, Associate, firstname.lastname@example.org
Ms. Strutt is an associate in the Insurance Coverage practice group. She counsels a broad range of corporate and individual clients on insurance coverage matters including errors and omissions liability, directors and officers liability, personal and advertising injury, environmental property damage, builders risk, and commercial general liability. Ms. Strutt also provides advice to clients interested in assessing their potential risks and the adequacy of their existing insurance programs. In addition, Ms. Strutt represents corporate clients involved in commercial and contractual disputes. Ms. Strutt has experience with all phases of litigation, up to and including trial, in the federal and state courts of Connecticut.
Full Bio (http://www.mccarter.com/en-US/Jennifer-Black-Strutt/)
McCarter & English, LLP
McCarter & English, LLP is a full-service law firm with over 400 lawyers with offices in Boston, Hartford, Stamford, New York City, Newark, Philadelphia, Washington DC, and Wilmington. In continuous business for more than 170 years, it is among the oldest and largest law firms in America.
McCarter offers a broad spectrum of interdisciplinary legal services to our clients—Fortune 100, 500 and middle market companies—which include some of the nation’s leading financial services, high-tech, pharmaceutical and retail entities. The firm handles national, regional and local business transactions and litigation, and counsels governments, non-profits, emerging companies, institutions and individuals, representing clients across all major industries, stages of growth, and practice areas. McCarter possesses the depth of knowledge and range of skills necessary to serve clients in a variety of disciplines and practices, both nationally and internationally—putting in the effort to learn its clients’ business to provide them with efficient, cross-disciplinary legal services around the globe.
Material in this work is for general educational purposes only, and should not be construed as legal advice or legal opinion on any specific facts or circumstances, and reflects personal views of the authors and not necessarily those of their firm or any of its clients. For legal advice, please consult your personal lawyer or other appropriate professional. Reproduced with permission from McCarter & English LLP. This work reflects the law at the time of writing.