MGM Resorts is the latest victim of a cyberattack occurring on September 10th, which has set back the gambling and leisure giant substantially, both in terms of business function and income. MGM is not alone. Household names such as Amazon, Facebook, Alibaba, Marriott, and many others have been victimized, as have governments around the world.
It goes without saying that companies are frantically scrambling to respond to cyber threats. Established businesses of all sizes, from large publicly-traded giants to “Main Street” private entities, are educating workers on safety and establishing best practices to avoid scams and hacking. Many enterprises have implemented multi-factor authentication and other protections and trained their workforces on personal work habits to reduce risk. We would presume that a sophisticated company, such as MGM, dealing with a high volume of daily financial transactions from casinos to resorts, would have the latest software protections and practices designed to deter fraud, yet the attacks continue. In the end, everyone is at risk from sophisticated cyber criminals and, unfortunately, the costs of protection will steadily increase as fraudsters use ever more sophisticated tools.
Which brings us to the question of how this crime might impact corporate governance. Officers and directors of corporations (and, in many states, equivalent managers of limited liability companies and other entities) owe certain “fiduciary duties” to the entity and its owners, usually denoted as the duty of loyalty, duty of care and duty of obedience. It may not always be obvious, but the duty of care may come into question after a cyberattack. Plainly put, the duty of care is the level of care that an ordinarily prudent person would exercise in a similar position and under similar circumstances (i.e., a “reasonable director” or “reasonable officer”). Directors and officers are expected to demonstrate a duty of due care by making prudent and informed decisions in management of a business’s assets, including protecting against cybercrimes. The question naturally arises: did the directors and officers of a cyberattack victim exercise their duty of care in working to prevent such an attack?
To make any sort of prudent and informed decision and satisfy their duty of care, directors and officers cannot ignore their obligation to understand the risk that cyberattacks pose and the steps necessary to prevent and mitigate the effects of such threats. Does this mean our business leaders need to become cyber experts and IT gurus? No, but it does mean that they must be informed of the “clear and present danger” of cyberattacks and how to lessen their impacts. In addition to economic loss, following a cyberattack the risk of a lawsuit against senior management by irate shareholders for breach of fiduciary duty is very real.
Directors and officers should consider the following:
- Review current Director & Officer (D&O) Insurance policies, particularly the exclusions, to ensure their coverage for breach of fiduciary duty claims following cyberattacks. Ensure you have cyber coverage.
- Ensure that IT and corporate security professionals are both competent and provided with the proper resources and adequate budgets to ensure protective products and practices are deployed.
- Work to understand risk (at a high level) and encourage the use of cutting-edge technology and best practices to avoid security breaches.
- Set the tone on data security as company leaders. If the boss doesn’t change their password on time, why should anyone else?
In the end, the goal is to be able to show that, as directors and officers, you have exercised ordinary prudence in seeking to protect against cybercrime. Unfortunately, in this day and age, that will mean eternal vigilance against sophisticated and highly-organized criminal elements and unfriendly governments as well as angry shareholders.