Cybersecurity: Moving Toward a Standard of Care for the Board
By J. Wylie Donald and Jennifer Black Strutt
J. Wylie Donald is a partner at McCarter & English, LLP in the Firm’s Insurance Coverage Group. Mr. Donald counsels only policyholders and has recovered millions of dollars, by settlement or judgment, on behalf of policyholder clients. Jennifer Black Strutt is an associate in the Insurance Coverage Group as well.
Cybersecurity is all the rage. It provides the plot to James Bond movies,1 headlines news reports2 and prompts presidential orders.3 Among other things, the cyber threat ”represents one of the most serious national security challenges [the United States] must confront.’’4 The deliberations of corporate boards of directors should be no exception to the furor. This article examines the current status of cybersecurity standards, insurance for cyber risks, and how insurance may or may not inform a board’s standard of care.
Cyber Concerns for the Board
Corporate boards of directors have a lot to worry about. Does the company have in place systems to ensure the company is protected against cyber threat? Are cloud-based data systems secure from breach? Are systems in place to ensure passwords are not compromised? That anti-intrusion software is patched? That encryption is robust? That the company is monitoring and evaluating the reliability of its employees? And if any of those subjects, as well as others, nevertheless leads to a problem, is there insurance to cover the company?
A board of directors’ oversight obligations have been the subject of litigation in Delaware; those precedents are significant, so we will use that jurisdiction as an example. The Delaware Supreme Court has found that directors’ liability for failing to exercise oversight is based on the concept of good faith, which is embedded in the fiduciary duty of loyalty.5 As such, directors may be liable if “(a) the directors utterly failed to implement any reporting or information system or controls; or(b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”6 In either case, directors may be liable if it is shown “that the directors knew they were not discharging their fiduciary obligations or that the directors demonstrated a conscious disregard for their responsibilities such as by failing to act in the face of a known duty to act.”7
What does this mean for a board of directors in terms of its potential liability for failing to adequately secure a company against cyber threat? Recent developments in the cybersecurity space are likely to be germane.
Securing Critical Infrastructure
Despite the current gridlock in Congress, the Obama administration has actively focused on protecting the nation’s “critical infrastructure”8 and has issued a Presidential Policy Directive and Executive Order on the topic, asking the Departments of Homeland Security, Commerce and Treasury to develop a program that manages cybersecurity risk.9 Presidential Policy Directive 21 (“PPD 21”) established a national policy on security and resilience for 16 critical infrastructure sectors, including energy and financial services. Specifically, PPD 21 directs the Executive Branch to understand the consequences of infrastructure failures, evaluate a public-private partnership, and develop a comprehensive research and development plan.10 Moreover, Executive Order 13636 – Improving Critical Infrastructure Cybersecurity establishes a voluntary set of security standards for critical infrastructure industries.11
With the goal of establishing security standards, the National Institute of Standards and Technology (“NIST”), an agency of the U.S. Department of Commerce, hosted four workshops around the country seeking input from industry, academia and government regarding the development of a cybersecurity framework (“Framework”). A final version of the Framework is expected to be released early next year, but a preliminary Framework issued on Oct. 22, 2013 provides a set of general cybersecurity practices and core capabilities consisting of five functions–identify, protect, detect, respond and recover.12
Additionally, the Department of Homeland Security (“DHS”), tasked with establishing a voluntary program to support the adoption of the Framework by critical infrastructure owners and operators (“Voluntary Program”), convened two workshops, attended by participants from the private and public sectors, in which cyber risk and insuring cyber liability were discussed.13
Thus, we see two potential components of a cybersecurity standard and, therefore, a board of directors’ standard of care. But the standard is a work in progress. The government continues to develop the Framework and determine how best to encourage critical infrastructure owners and operators to join the Voluntary Program. Insurance has been part of this ongoing discussion.
The State of Cyber Insurance
Cybersecurity insurance is a “claims-made” product and generally covers losses arising from computer or network-based incidents. More than 50 carriers currently offer cyber coverage as enhancements to standard policies or as standalone policies. Limits in some cases can exceed $100 million, although many policies are smaller. Although cybersecurity insurance has been around for several years, it remains a developing, even “nascent,” market.14
Several cybersecurity risks are currently insurable, including liability arising out of (and costs related to) data breach or loss, network damage, cyber extortion and some regulatory issues.15 However, policyholders may have difficulty finding coverage for business interruption, restoration costs and reputational damages.16 Indeed, as explained in the Treasury Department Report:
The market for third-party cyber insurance is developing quickly because losses that a firm causes to its customers, such as from a data breach, are relatively predictable. Conversely, the market for first-party cyber insurance is less developed, as direct cyber losses to firms arising from business interruption and destruction of data and intellectual property are more volatile and not as well understood.
Furthermore, many consider catastrophic loss (such as cyber disasters caused by “war, terrorism, critical infrastructure failure, ‘in the wild’ and state-sponsored computer viruses”) to be uninsurable.18 Thus, as currently available, a board may not be able to protect the company through insurance for certain losses. If those losses materialize, the question may be asked: what other options for protection were considered? Those options are beyond the scope of this article. Instead, we focus now on how the insurance market may (or may not) further develop cybersecurity standards.
Some believe that the insurance industry occupies the ideal position for encouraging the private sector’s adoption of best practices for minimizing cyber loss and maximizing cybersecurity. For example, the Internet Security Alliance (“ISA”), a multi-sector trade association, submitted a report to the White House that summarized the benefits of cyber insurance regarding the implementation of cybersecurity standards.19
Because an insurer will be required to pay out cyber losses, it has a strong interest in greater security to minimize risk. As such, an insurer can require a policyholder to establish that it has adopted certain precautions and practices (such as adopting the Framework) before the insurer will issue coverage. The ISA asserts such requirements may eventually become de facto standards that are tailored to fit the needs of diverse businesses. Additionally, insurers are in a position to reward policyholders who have implemented extra security precautions by charging lower premiums.
The ISA cites several advantages to utilizing insurance to implement safety standards. First, the rapidly-evolving area of cybersecurity is not particularly suitable to governmental regulation, especially in view of the diversity in risk profiles between sectors.20 Indeed, specific actions that the government may take to improve security and resilience that are impactful in one sector may be ineffective in another, which may explain why the Preliminary Framework is particularly generic.21 Additionally, cyber risk is global.22 Therefore, U.S. regulation alone cannot effectively manage cybersecurity risk.
Unfortunately, whether these benefits will be realized in today’s cyber insurance market is uncertain. One insurance executive recently noted that “the insurance industry hasn’t been known for its dynamism when addressing cyber risk.”23 Indeed, although the market has seen some recent growth,24 the market for cyber insurance has “repeatedly fallen short of optimistic growth projections” as a result of demand and supply side problems.25 Tyler Moore, assistant professor of computer science and engineering at Southern Methodist University, has concluded that a general lack of awareness about cyber threat–due in part to a lack of mandatory breach disclosure legislation–and a lack of clarity in terms of who is liable for cyber incidents have stifled the demand for cyber insurance in the past.26 At the same time, Moore concluded that “information asymmetries — in particular, the difficulty of assessing the security of an insured party,” have led to supply-side problems.27 As a result, the market for cyber insurance has not developed as quickly as many predicted it would.
The difficulties in underwriting cybersecurity insurance were discussed in detail at the DHS Roundtable in May 2013 (the “DHS Roundtable”). DHS Roundtable participants noted that “carriers typically don’t spend weeks with potential insureds reviewing every aspect of an organization to see what’s happening with its implementation of information security policies.”28 Rather, carriers consider “how well a company understands where it sits uniquely in the cyber risk landscape and how it’s addressing its vulnerabilities beyond basic cyber hygiene. . . . In short, if companies exhibit engaged cyber risk cultures — where informed boards of directors support targeted risk mitigations to address their most relevant cyber risks — then most carriers will consider them to have effective cyber risk cultures worth insuring.”29 Thus, the hypothetical benefit offered by the ISA–that underwriting cybersecurity insurance will enforce a set of “best practices” specific to each business–may not take into account the reality of how insurers underwrite cyber coverage.
Furthermore, insurers have “yet to identify consistent cyber risk trends and the safeguards that organizations can implement to best manage them.”30 To date, other than with regard to breaches of privacy, there has been very little incentive, if any, to report cyber incidents, which causes some in the industry to advocate for legislation requiring broader public disclosure of such events.31 Supporting that position is data showing that the number of privacy breach reports increased significantly after states began adopting privacy breach notification laws, requiring public and private entities to notify affected individuals when personal data under their control has been acquired by an unauthorized party.32
The relative secrecy surrounding successful cyber attacks is problematic for insurers because they lack actuarial data. Without the ability to adequately assess the risk, insurers are forced to write and price policies in a vacuum. Insurers do have the benefit of their own claims history, but the pooling of industry resources would enable all insurers, collectively, to better underwrite policies. Unfortunately, DHS Roundtable participants indicated that there are few incentives and limited means for insurers to share data with one another. Claim-related data is proprietary and not easily given to a competitor. Moreover, “current anti-trust barriers that prevent unlawful industry collusion would likewise stymie the effort to create a carrier database for claims data.”33 The proposed Cyber Intelligence Sharing and Protection Act34 was designed to allow sharing of Internet traffic information (to help the federal government investigate cyber threats and ensure the security of networks against cyber attacks), but privacy advocates were concerned about potential governmental use of the data, and the Senate has not voted on the bill.35 The insurance industry is part of the Financial Services Information Sharing & Analysis Center, through which insurers may share data, but new constructs would be necessary for the sharing of cyber-related claims information.36 Additionally, insurers could share claims data through the Insurance Services Office, but DHS Roundtable participants noted that they lack incentive to do so.37
In sum, many DHS Roundtable participants opined that “expecting the insurance industry to spearhead the development of best cybersecurity practices that companies should adopt in return for lower first-party policy premiums is probably unrealistic.”38 What this may mean for a company is that it may not be able to rely on an insurer’s requirements as evidence that it implemented adequate information systems or controls, and/or consciously monitored its cyber operations, which would negate allegations that its board of directors breached their duty of loyalty.39
The Government’s Position
Notwithstanding the skepticism expressed by the DHS Roundtable participants, the ISA’s viewpoint appears to have been influential on the Obama administration. On August 6, 2013, the White House released a preliminary set of “incentives” for joining the Voluntary Program and adopting the Framework. At the top of the list: Insurance. According to the White House blog, “Agencies suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the Framework and the Program. The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.”40 Some saw this as support for legislation that would stimulate the market, such as the creation of tax incentives, a federal reinsurance program or requiring government contractors to carry cyber insurance.41
The Department of Treasury has acknowledged that insurance may play a vital role toward the implementation of the Framework, opining that “significant input and collaboration with the insurance sector could play a critical role in determining the success of the Framework.”42 Specifically, the Treasury noted “[t]he Framework may … encourage the growth of the private cyber insurance market to the extent that it establishes minimum standards for the cyber insurance industry.”43 However, the Treasury concluded that “[n]o additional legislation would be needed for the continued development of the private cyber insurance industry.”44 Without new legislation or government-sponsored incentives driving the market, the private sector may be left to develop this market on its own.
If the Treasury’s vision for the development of cybersecurity standards moves forward, this would not be the first time that insurers took the laboring oar in developing and implementing safety standards.45 In fact, modern fire safety codes and standards were first developed by fire insurance organizations, which formed the National Fire Protection Association (“NFPA”).46 In the late 1800s, there were nine radically different standards for piping size and sprinkler spacing within Boston, and these inconsistencies lead to a high rate of sprinkler system failure.47 The founding members of the NFPA convened to discuss a solution that would benefit the public and also limit their future losses. In 1896, the NFPA released a set of sprinkler installation rules entitled “Report of Committee on Automatic Sprinkler Protection.”48 Today, the NFPA is responsible for 300 codes and standards that are designed to minimize the risk of fire by establishing criteria for building, processing, design, service and installation.49
But, for the moment, there is no “cybersecurity code” even close to the equivalent of a fire code.
Toward a Standard of Care
So if there is no cybersecurity code, the Voluntary Program and the Framework are yet to be built (and may have only general application), and insurance companies have disparate and uneven approaches to underwriting, where can a board look for guidance? The lack of a formal standard does not mean there is no standard of care.
Cyber threat is a known risk in today’s business world. As such, some may argue that the duty of loyalty imposes upon the board of directors an obligation to implement systems to secure a company adequately against this risk, and consciously to monitor and oversee operations such that problems may be resolved when they arise.50
Accordingly, businesses should take an enterprise risk management approach and bring cyber risk discussion “out of the technology stovepipe and into an organization’s broader risk management process.”51 Indeed, it will become increasingly important that companies build a culture that actively searches for cybersecurity problems, compared with a culture that is fearful of discovering them.52 Further, analysts must translate cyber risk into business terms that highlight the financial consequences of cyber incidents so that boards of directors may make educated and strategic risk management investments.53 This will reduce the risk of cyber threat and (should) increase a company’s options in terms of obtaining coverage because the company is worth insuring. Finally, as boards become more sophisticated in understanding their cyber risks, they should consider how insurance may mitigate their potential cyber loss.
1 David Denby, Current Cinema, High Times, “Flight” and “Skyfall”, THE NEW YORKER, Nov. 12, 2012, available athttp://www.newyorker.com/arts/critics/cinema/2012/11/12/121112crci_cinema_denby.
2 US Intelligence Chief: Cyberterror Leading Worldwide Threat to US Security, CBS DC (Apr. 11, 2013), available athttp://washington.cbslocal.com/2013/04/11/us-intelligence-chief-cyberterror-leading-worldwide-threat-to-us-security/.
5 E.g., Stone v. Ritter, 911 A.2d 362, 369-70 (Del. 2006). Cf.14A N.Y. JUR. 2d Business Relationships §701 (2013) (noting that in New York, “corporation laws expressly require directors and officers to exercise that degree of diligence, care, and skill which ordinarily prudent men would exercise under similar circumstances in like positions”).
8 See, e.g., Department of Homeland Security, What is Critical Infrastructure, available at http://www.dhs.gov/what-critical-infrastructure (“Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof are increasingly networked and vulnerable to threat.”).
9 Presidential Policy Directive 21 (Feb. 12, 2013), available at http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
12 NIST, Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework (Oct. 22, 2013), available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf (“Preliminary Framework”). On Oct. 23, 2013, the NIST launched a 45-day public comment period on the Preliminary Framework. Request for Comments on the Preliminary Cybersecurity Framework, 78 Fed. Reg. 64,478, 64,480 (Oct. 23, 2013).
13 See generally http://www.dhs.gov/publication/cybersecurity-insurance.
14 Treasury Department Summary Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636, at 6 (undated), available at http://www.treasury.gov/press-center/Documents/Treasury%20Report
Incentives_FINAL.pdf (the “Treasury Department Summary Report”).
15 DHS’S NATIONAL PROTECTION & PROGRAMS DIRECTORATE, Cybersecurity Insurance Workshop Readout Report, at 12 (Nov. 2012), available at http://www.dhs.gov/sites/default/files/publications/cybersecurity-insurance-read-out-report.pdf (“DHS Nov. 2012 Report”).
17 Treasury Department Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636, at 24 n.56 (undated), http://www.treasury.gov/press-center/Documents/Supporting%20Analysis%20
Cybersecurity%20Incentives_FINAL.pdf (the “Treasury Department Report”).
19 Larry Clinton, Cyber-Insurance Metrics and Impact on Cyber-Security, INTERNET SECURITY ALLIANCE (undated), available at http://www.whitehouse.gov/cyberreview/documents/ (“ISA Report”).
21 SeeSlava Borilin, 4th Cybersecurity Framework Workshop: Good News and Bad News, THREATPOST (Sept. 30, 2011), http://threatpost.com/4th-cybersecurity-framework-workshop-good-news-and-bad-news (“Overall, the resulting framework is not specific enough for any of the . . . Critical Infrastructure Sectors to understand the practical steps of implementing a cybersecurity strategy or to at least understand the practical set of instruments (aka security controls).”).
23 DHS National Protection & Programs Directorate, Cyber Risk Culture Roundtable Readout Report, at 7 (May 2013), available at http://www.dhs.gov/sites/default/files/publications/cyber-risk-culture-roundtable-readout_0.pdf (“DHS May 2013 Report”).
24 Benchmarking Trends: More Companies Purchasing Cyber Insurance, MARSH (Mar. 14, 2013), http://usa.marsh.com/NewsInsights/MarshRiskManagementResearch/ID/29870/Benchmarking-Trends-More-Companies-Purchasing-Cyber-Insurance.aspx.
25 Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Policy Questions, in PROCEEDINGS OF A WORKSHOP ON DETERRING CYBERATTACKS: INFORMING STRATEGIES AND DEVELOPING OPTIONS FOR U.S. POLICY, at 13 (2010), available for purchase at http://www.nap.edu/catalog/12997.html (“Moore”).
31 E.g., Moore, at 8. According to Moore, the incentives for not reporting an incident include fear of losing customers, harm to reputation, decrease in stock price and concern that revealing an incident could draw attention to systematic vulnerabilities, making the entity more susceptible to further attack. Id.
32 Id. at 11. Indeed, Beth Diamond, insurance claims focus group leader for Technology, Media and Business Services at Beazley Group, said she received only one to two privacy breach reports per week in 2009, but that number increased to six to eight per week in 2011. She attributed this rise, in part, to increased legislation and companies’ heightened awareness about their legal obligations to report breach incidents. Mark Greisiger, Cyber Liability & Data Breach Insurance Claims: A Study of Actual Payouts for Covered Data Breaches, NET DILIGENCE, at 1 (June 2011), http://www.netdiligence.com/files/CyberLiability-0711sh.pdf; see also DHS May 2013 Report, at 15.
35 DHS May 2013 Report, at 43; Gerry Smith, Senate Won’t Vote On CISPA, Deals Blow to Controversial Cyber Bill, HUFFINGTON POST (Apr. 25, 2013), http://www.huffingtonpost.com/2013/04/25/cispa-cyber-bill_n_3158221.html.
40 Michael Daniel, Incentives to Support Adoption of the Cybersecurity Framework, THE WHITE HOUSE BLOG (Aug. 6, 2013), http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework.
41 See, e.g., ISA Report, at 8 (suggesting requirement that government contractors carry cyber insurance, encouraging information sharing by providing limited exemption from federal antitrust law and Freedom of Information Act for sharing vulnerability information, and creating a limited federal reinsurance program for cyber insurance or offering tax deductions to encourage insurers to increase capital reserves used to pay cyber claims); Moore, at 13 (suggesting legislation that would require disclosure of cyber events and clarify liability concerning the same).
45 One DHS Roundtable participant noted the similarity between cybersecurity and fire safety. Oliver Brew, vice president of the professional liability division of Liberty International Underwriters, stated that “a more mature cyber risk culture could benefit society in much the same way that” fire insurance benefits individual consumers (i.e., installation of smoke alarms qualifies homeowners for premium discounts). DHS May 2013 Report, at 8.
46 See Casey Cavanaugh Grant, The Birth of NFPA, NATIONAL FIRE PROTECTION ASSOCIATION (undated), http://www.nfpa.org/about-nfpa/overview/history.
49 See Overview, NATIONAL FIRE PROTECTION ASSOCIATION, http://www.nfpa.org/about-nfpa/overview.