"Cybersecurity Trends for Boards of Directors"

by Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP

Cybersecurity has in recent years become an integral component of a board’s role in risk oversight, but directors often find themselves in unfamiliar territory when it comes to formulating policies and oversight processes that address cybersecurity risk. It can be especially challenging for directors to identify upcoming risks and avoid focusing too much on yesterday’s headlines. Prioritizing the following three areas based on impending cyberthreats and emerging regulatory developments will help corporate directors stay ahead of the curve.

1. Re-Examine the Company’s Business Continuity Plans and Insurance in Light of New Cyberthreats

The fall of 2016 ushered in a new cyberthreat with the massive denial-of-service attack levied against internet infrastructure provider Dyn, which knocked many of the world’s major websites offline. The attack harnessed an army of insecure internet-connected devices (i.e., the internet of things), such as cameras, webcams and digital video recorders, which were infected with malware and under the control of criminal actors. The exploitation of the internet of things was a game-changer for cybersecurity because it enables denial-of-service attacks of unprecedented strength. And criminals have already set their sights on the business community as targets, seeking ways to monetize their new weapons through extortion. Companies must think carefully about their internet-exposed infrastructure and that of their vendors — everything from a customer online portal to their building’s heating, ventilation and air-conditioning system — and brace for heightened levels of disruption to operations if attacked.

A similar trend is taking shape with regard to ransomware, the malware that holds its victims’ data hostage through encryption until a ransom is paid in bitcoins. Ransomware became a dominant threat in 2016, generating over $1 billion in payments. These attacks will not subside anytime soon, but many hackers have moved on to targeted cyber extortions against businesses, armed with more sophisticated malware and demanding steeper payments. Some criminals have taken to stealing sensitive files and threatening their release rather than locking them down with encryption; others have been looking to hold hostage a business’ internet-connected technologies and infrastructure, much like the tactics mentioned above.

As cyberattacks take a more destructive turn, corporate directors should evaluate cyberrisk differently. Compared to more run-of-the-mill breach of customer data or theft of intellectual property (which can still be harmful), destructive attacks call for unique defensive strategies and must be met with an effective business continuity plan to minimize operational downtime. Indeed, depending on one’s industry, some destructive attacks may imperil the safety of employees or customers, a risk factor that has not traditionally been part of the cybersecurity calculus.

Almost all companies have a business continuity plan on the books, but many have not stress-tested their plans against these evolving threats. One method for doing so is to enlist employees or a cybersecurity firm to attempt to execute attacks through so-called “red teaming,” which should help companies identify any shortcomings before an attack strikes. Certainly such an effort will signal that the board and management are paying attention to these risks.

The board also should determine whether the company’s insurance covers these new risks. Cyber insurance has traditionally focused on privacy breaches, but companies now increasingly seek policies that cover business interruption coverage, including systems failure, cyber extortion and digital asset restoration, as well as contingent business interruption coverage, which covers business interruption caused by a third party such as a cloud provider. In light of these new threats, a company should consider readjusting its insurance coverage accordingly.

2. Scrutinize the Company’s Cyberrisk and Incident Disclosures to the Securities and Exchange Commission

Cyber disclosure has long been on the Securities and Exchange Commission’s (SEC) radar, but based on some signals from the SEC we may now see relevant enforcement actions. In the years since the SEC released its guidance on disclosing material cyberrisks and incidents, publicly traded companies have rarely disclosed specific cyber incidents. Only about three dozen data breaches are disclosed every year, a figure that pales in comparison to the number of actual successful attacks (large or small). The conventional wisdom has been that data breaches seldom move the stock price and are therefore not material. But as we have recently witnessed more examples of significant stock price movement in the wake of a cyber incident, companies should assume that both regulators and plaintiffs’ counsel will be more likely to challenge a nondisclosure. That increased risk should be weighed when making the difficult assessment of whether a cyber event rises to a level requiring disclosure.

Companies also should expect that cybersecurity whistleblowers will come to the fore with greater frequency in the years ahead. Because a failure to disclose cyberrisks or cyber incidents is often difficult for a regulator to identify, it is not surprising that the SEC would try to draw on its successful whistleblower program to pursue its stated goal of incentivizing more robust disclosure. The whistleblower plaintiffs’ bar no doubt noticed that the latest SEC enforcement cybersecurity fine against a financial institution in June 2016 met the threshold $1 million requirement for a whistleblower payout.

As such, the board should first ensure that the company has afforded opportunities for whistleblowers to report internally, and that management has trained information technology managers about what could form the basis for cybersecurity whistleblower complaints and how to properly receive and escalate any issues raised by internal reports to the appropriate level. The board also should ensure that management carefully considers its cyberrisk and incident disclosure practice, mindful of the SEC’s keen interest in this area and the prospect that whistleblowers may increasingly report perceived shortcomings to the SEC.

3. Reassess the Company’s Cybersecurity Compliance

Over the past several years, regulators around the world have taken a keen interest in cybersecurity and data privacy, resulting in a patchwork of overlapping regulations. Last year, however, several regulators started taking a different tack and unveiled a series of prescriptive requirements, unlike the flexible “reasonableness” standards familiar to the security community.

California was the harbinger when the attorney general’s office announced that a list of 20 security controls published by the prominent security nonprofit the Center for Internet Security “define[s] a minimum level of information security that all organizations that collect or maintain personal information should meet” and that a failure to do so “constitutes a lack of reasonable security.” Some in the security community were taken aback that these best practices were turned into a regulatory floor.

A similar reception was given to the New York State Department of Financial Services’ landmark cybersecurity regulations for banks, insurance companies and other third-party service providers within its jurisdiction, which require an array of security measures, staffing requirements and senior-level annual certifications of compliance. Soon after these regulations were announced, the Federal Reserve Board and other banking regulators issued an advanced notice of proposed rulemaking, seeking comment on a new set of enhanced cybersecurity standards for certain institutions under their supervision.

These trends are happening overseas as well. China recently announced its first-ever law devoted to cybersecurity, which imposes a number of obligations on “network operators” regarding the protection of personal information and breach notification. A set of more demanding rules, such as data localization and data transfer restrictions, will be imposed on “critical information infrastructure operators,” a potentially broad term covering entities in a wide range of sectors, including public communication and information services, energy, transportation, finance, utilities and e-commerce.

As these new cybersecurity and data privacy rules come into force across the globe, it is an opportune time for corporate directors to reassess how they exercise their governance responsibilities with regard to management’s handling of cyberrisk and compliance.

Download PDF

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.