Listing ETP Banner
Reference Library - Advanced Search


** To make multiple selections, select the first criterion and then press and hold the Ctrl Key **
1- 3 of 3 Search Results for:
Libraries:   Governance Clearinghouse
Filters:   2017, 2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005, 2004, 2003, 2002; Board Composition/Committee Assignments, Company Spotlight, Cybersecurity, Disclosure, Diversity, Hearings and Appeals, Issues and Trends, Listing Center, News, Outside Insight, Proxy Season, Public Policy, Q&A, Regulation, Shareholder Engagement, Survey;
Search   Clear

Collapse All
Printer Friendly View
Mailto Link 
Page: 1 of 1
Frequently Asked Questions
  Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm
Identification Number 1220
Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm
Publication Date: May 11, 2016 

Cyber security expert John Reed Stark recently shared with us guidance on managing corporate cyber risk. In this first in a series of articles on cyber security, John shares his philosophy on structuring effective cyber risk oversight in the board room.

Hardly a day goes by in legal and consultant circles when some expert somewhere is not opining on the need for corporate boards to bring a greater sense of urgency to address the growing business risk of cyber-attacks. Yet, even the most experienced commentators are underestimating the threat of cyber-attacks, and—even more importantly—overlooking a glaring history lesson that sits in plain view of public companies.

What is this conspicuous history lesson? Boards of directors formulating their cybersecurity oversight should look no further than the current board oversight paradigm for financial accounting and reporting. Boards should put in place the same governance procedures to oversee a corporation’s cybersecurity wellness that have proven effective and sufficiently flexible to assess and validate financial statement accuracy and reliability.

As cyber-attacks continue to proliferate, more and more corporate boards will come to realize that cybersecurity risks now actually trump financial accounting risks – and not just because technology and networks touch every aspect of an enterprise. The nature, extent and potential adverse impacts of these risks demand a proportionate response.

Consider the history of board oversight of financial accounting: As it became clear that corporate insiders were capable of engaging in misconduct, the active oversight and independent supervision over financial controls and governance structures similarly evolved, reducing the risk of financial fraud, fiscal misstatements and management malfeasance. Along those lines, the efficacy of using independent auditors, audit committees and management certifications to deter and minimize such insider misconduct became widely understood and embraced.

However, cyber threats can originate from both inside and outside corporate walls, resulting in a much broader risk profile that requires at least an equivalent if not greater board attention and focus. Indeed, when compared to the risks associated with internal financial malfeasance, deceit or neglect, suffering a cyber-attack can be far more severe in scope, far more cosmic in breadth and far more unpredictable in latitude.

For instance, after suffering a cyber-attack, a corporation must bear more than the substantial regulatory and litigation costs associated with potential privacy violations. Cyber-attacks involving the theft of intellectual property can result in a company’s immediate or even permanent loss of revenue and reputation; cyber-attacks involving denial of services (such as a website being shut down by nefarious hackers) can disrupt or forever diminish consumer or customer confidence; cyber-attacks involving exfiltration of private company emails can have a tumultuous impact upon senior management and create an international uproar; cyber-attacks involving destruction of technological infrastructure or damage to the integrity of a company’s data can require massive and costly remediation; cyber-attacks involving the theft of (and future trading upon) confidential information can damage the integrity of a company’s stock price and disrupt financial markets…and the list goes on.

Notwithstanding these potentially grave consequences; notwithstanding the fact that most experts now view cyber-attacks to be inevitable; and notwithstanding the pervasive nature of the risk, most corporate boards fail to allocate to cybersecurity the same level of oversight routinely afforded to the area of financial reporting.

This needs to change.

Just as occurred in the financial accounting realm, old and stale governance models must be modified and enhanced to address the very real, difficult to control and ever increasing enterprise threat of cyber-attacks. In practical terms, this means that, just as it does for financial reporting, every corporate board should:
  • Create a cybersecurity committee (just like its audit committee);
  • Engage an independent cybersecurity firm to conduct an annual cybersecurity audit (just like an independent accounting firm conducts and signs off on an annual financial audit); and
  • Add cybersecurity expertise and knowledge to the board (sitting right beside the board’s accounting and financial expert).
Following this recommendation will improve overall enterprise risk identification and management of cyber-related challenges and threats -- and fulfill the most fundamental duty of care that every director owes to the corporation, its shareholders and other stakeholders.

Historically, when it comes to their CFOs and the financial reporting function, the successful board paradigm has been one of vigorous and independent supervision, requiring the participation of independent third parties. The same should go for CTOs, CIOs and CISOs, and the maxim of trust but verify should be equally operative in both contexts.

Board members may soon have little choice but to take these steps, not merely to protect their companies but also to protect themselves. Given the current D&O litigation landscape relating to cybersecurity issues, cybersecurity breaches not only create regulatory and other legal liability for corporations but can also create personal liability for directors. For their failure to oversee cybersecurity with the requisite level of care amid the growing corporate risk of cyber-attacks, boards may be sued or reported by a whistleblower.

Boards should also understand that, just like financial accounting failures, when cyber-attacks are handled correctly and appropriately, the response not only strengthens a corporation’s infrastructure but also reinforces strong business ethics; fierce customer dedication; and steadfast corporate governance.

There is a terrific scene in Ron Howard’s 1995 film Apollo 13, which demonstrates this notion of successful failure so brilliantly. The film, which takes place in 1970, shows the trials and tribulations of the Apollo 13 crew, mission control, and families after a near fatal in-space accident cripples the space vehicle. NASA must devise a strategy to return Apollo 13 to Earth safely in the ultimate crisis management situation. Just before the most intense moment, when it remains unclear whether the astronauts would survive their desperate re-entry flight back to Earth, several senior NASA officials and spokesman are mulling over the impact of the accident. One of them states, “I know what the problems are. This could be the worst disaster NASA's ever experienced.” Ed Harris playing Gene Kranz, the famed NASA Apollo 13 flight director, overhears the misguided discussion and interrupts them, firmly declaring, “With all due respect, sir, I believe this is gonna be our finest hour.” It is a scene any corporate board member would find particularly compelling.

For boards contemplating their cybersecurity oversight, there is no need to reinvent the wheel. History provides an authoritative guide. By leveraging financial accounting governance lessons acquired over the past 70 years, and elevating cybersecurity oversight to the top of the risk food chain, boards can better protect their corporations from cyber-adversaries, better carry out their fiduciary responsibilities – and establish a leadership position in managing the emerging and dynamic risk of cyber-attacks.

John Reed Stark, President of John Reed Stark Consulting LLC, served for 15 years as an SEC enforcement attorney leading cyber-related projects, investigations and enforcement actions. He served for 11 years as Founder and Chief of the SEC Office of Internet Enforcement and for 15 years as an Adjunct Professor at Georgetown University Law School teaching a law and technology course.
Publication Date*: 5/11/2016 Mailto Link Identification Number: 1220
Frequently Asked Questions
  Cyber Insurance: Why Your Company Needs It
Identification Number 1231
Cyber Insurance: Why Your Company Needs It
Publication Date: July 8, 2016 

In this second in a series of articles, cybersecurity expert John Reed Stark explains the necessity for stand-alone cyber policies.

The time is now for stand-alone cyber insurance.  The tensions between traditional insurance policies and data breach coverage have prompted the dawning of a new era of stand-alone “cyber insurance.” And this new era has only just begun. Global insurance broker Marsh LLC recently reported a 27% increase of stand-alone cyber insurance purchases by its U.S.-based clients in 2015, continuing a pattern of strong growth while PricewaterhouseCoopers estimates that annual gross written premiums for cyber insurance will increase from about $2.5 billion in 2015 to about $7.5 billion by the end of the decade.

Clearly, stand-alone cyber insurance will become yet another basic element of a company’s insurance coverage, just as property insurance and health insurance are.  Many companies might even find their customers demanding the carrying of cyber insurance as a matter of good business practice.  Here are three important reasons why:

  1. Professional liability insurance, business interruption insurance, general liability insurance and property insurance might not cover many of the costs associated with cyber-attacksUnfortunately, companies are finding that their professional liability insurance, general liability insurance and property insurance might not cover many of the costs associated with cyber-attacks.  Despite at least one recent victory for the insured, embryonic case law (with very little appellate level authority) concerning insurance and data security incidents remains all over the map and evidences the uncertainty as to exactly what cyber-related incidents are covered by traditional insurance policies. Factors depend on the nature of the breach, the relationship of the parties, the type of the information at issue (such as personal information, intellectual property, trade secrets, and emails), the precise form of the operative policy and, if related to third-party liability claims, the allegations asserted and the type of damages sought.
  2. Companies that maintain cyber insurance may have the best cyber security policies and practices.  Before obtaining cyber insurance coverage, a company typically undergoes a fairly rigorous underwriting process.  Just as the physical exam typically required by insurance companies before issuing life insurance can prompt better personal wellness practices, a cyber insurance exam can prompt better company cybersecurity wellness.  Relatedly, while it has been suggested that having insurance encourages companies to slack off on security, some research suggests the opposite, i.e., that those companies with good cybersecurity practices are more likely to purchase insurance. 
  3. Companies falling victim to a cyber-attack should not expect any assistance or even compassion from the government.  In fact, companies should expect quite the opposite for several reasons:

    • First, the U.S. government is overwhelmed with protecting the nation’s own infrastructure and does not have a SWAT or other rescue team standing by to assist U.S. companies after a cyber-attack;
    • Second, while it may seem counterintuitive, state and federal agencies often pursue cyber-attack victims not with a helping hand, but instead with subpoenas, enforcement actions and an onslaught of lawsuits.  Furthermore, state privacy statutory regimes and a growing range of federal agencies each wield their own unique set of rules, regulations, statutes and enforcement tools; and
    • Third, the public’s (and Congress’) perception of cyber-attack victims has sadly become not one of understanding or empathy, but rather one of suspicion, skepticism and even vilification.

The Increasing Cost of Data Breaches.  Given the rising costs of data breaches, the growth of the cyber insurance market is not surprising.  Two separate recent studies by the Ponemon Institute and Deloitte Advisory found traditional data breach costs are on the rise; at the same time the hidden costs of data breaches also are proving to be far more expensive than anyone has predicted.

The annual Ponemon Cost of Data Breach 2016 report established whose early benchmark statistics show significant cost increases.  Specifically, the comprehensive study found that the average cost of breaches at organizations have jumped past $4 million per incident, a 29% increase since 2013 and 5% increase since 2015.

Meanwhile, Deloitte Advisory services recently found that damages sustained from a cyber-attack could be much higher than those outlined by Ponemon and present themselves many years after the breach.  Deloitte's report, “Beneath the Surface of a Cyber-attack,” showed that in addition to the well-known costs like breach notification, post-breach protection and technical investigations, hidden costs also present themselves (such as insurance premium increases, increased cost to raise debt and devaluation of trade name).

Deloitte estimates that known costs may account for less than 5% of total business impact.  In one composite model, Deloitte found that cyber-attack costs to a health care company amounted to $1.6 billion due to a significant breach of patient records, with only 3.5% of those costs coming in the form of “above the surface” costs.  The costs under the surface can ripple outward, including temporary or even permanent brand reputation and damage; loss of productivity; extended management drag (especially due to class action lawsuits); and a negative impact on employee morale and overall business performance.

The Wild, Wild West.  Though Jimmy Durante could insure his nose ($50,000); Julia Roberts can insure her smile ($30 million); and Bruce Springsteen can insure his vocal chords ($6 million), it can be far more challenging for public and private companies hoping to insure themselves against the considerable and far-reaching breadth of a cyber-attacks.  In short, given the litany of uncertainties and what some insurance professionals have referred to as the “actuarially immeasurable” results of cyber-attacks, the market for insuring against cyber-attacks is the Wild, Wild West, replete with high premiums, low coverage, broad exclusions and scant legal precedent.

For starters, though the market for cyber insurance continues to evolve and grow dramatically, no form of standardized cyber insurance policy language has yet materialized.  The cyber insurance market is flying completely blind.  There is no proven road map for analysis; no archive of empirical statistically significant data; and no quantification algorithm for calculating cyber-attack risk.  Thus, the actuarial challenges of predicting/gauging both the probability and the impact of a cyber-attack make it difficult to match a cyber insurance policy with the unique risk profiles of today’s global and technologically erudite companies.  Not only do insurance analysts face difficulties, but so do the most experienced companies.

Meanwhile, the complexity, sophistication and variety of a new wave of cyber-attacks continue to swell.  So-called “hacking” is dying from the cyber lexicon along with the historically simplistic and naïve image of mischievous teenagers wreaking havoc from a server in their parents’ basement.  What has appropriated these now-antiquated notions are a litany of new-fangled cyber-attack root causes with dramatically expanding attack vectors, including: denial of service assaults; malware intrusions; advanced persistent threat (or “APT”) terrorist acts; rogue employee and “bad leaver” episodes; social media exploits; mobile device attacks; ransomware demands; cloud computing infiltrations; and human error events.

How can an insurance company possibly organize and mitigate such a dynamic and ever-changing array of risks into a cohesive, logical and effective cyber insurance policy? Gauging a company’s security posture has turned out to be a much more manifold endeavor than anything the insurance industry has mastered before, such as assessing human life expectancy or driving records.  Even the U.S. Department of Homeland Security officially has acknowledged that the cyber insurance market remains confusing for most companies and can be overlooked for all of the wrong reasons, stating in a recent report:

“Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.  A robust cybersecurity insurance market could help reduce the number of successful cyber-attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.  Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack.”

Convinced your company needs cyber insurance? In our next article in the series, John will offer tips for navigating the complex cyber insurance marketplace.

Read the first article in this series: Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm >>

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement.  He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office.  Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.

The Cybersecurity Due Diligence Handbook

Publication Date*: 7/8/2016 Mailto Link Identification Number: 1231
Frequently Asked Questions
  Cyber Insurance: How to Find the Right Policy
Identification Number 1240
Cyber Insurance: How to Find the Right Policy
Publication Date: August 2, 2016 

In this third in a series of articles, cybersecurity expert John Reed Stark offers tips for navigating the complex cyber insurance marketplace.

A near certainty for public and private corporations is that, at some point, they will be subject to a cyber-attack. And what is indisputable is that cyber-attacks are almost always extraordinarily complicated and will require a host of costly responses. So it seems that for today’s risk-averse companies, the best way to gain insight into the question of cyber insurance is not only by understanding the growing and complicated hazard of cyber-attacks, but also by obtaining a stand-alone cyber insurance policy that contemplates carefully the workflow that typically occurs during their aftermath.

How to Find the Right Policy. Traditionally, purchasing insurance coverage begins with a policy review, a risk breakdown and a range of other risk-related analytics. However, when contemplating a cyber insurance policy, companies should initiate more of a “reverse-gap” approach toward that calculus, analyzing and scrutinizing the typical cyber-incident response workflow that follows most cyber-attacks.

By analyzing and revisiting the realities and economics of this workflow, a company can then collaborate with its insurance sales representatives and originators to allocate risk responsibly and determine, before any cyber-attack occurs, which workflow costs will trigger coverage; which workflow costs will be outside of coverage; and which workflow costs might be uninsurable.

It also is crucial that companies conduct the necessary due diligence to be sure that their cyber insurance carrier has a good claims-paying and claims-handling history and has a proven record of rapid and supportive response. When a cyber-attack occurs, too often there are doubts as to coverage, which can affect incident response.

Cyber insurance policies also can differ dramatically in their goals and objectives. For example, some policies are designed to cover HIPAA and PCI violations, as well as other regulatory noncompliance, while other policies are geared more for direct financial losses due to wire transfer fraud. For instance, if a company manages trust accounts on behalf of customers, the company likely will require insurance coverage for direct cash losses in the event of a network intrusion that results in the unlawful transfer of funds.

Cyber insurance policy premiums are “not one size fits all”, as premiums are factored on a company’s industry, services, data risks and exposures, computer and network security, privacy policies and procedures and annual gross revenue. At present, there are 70 or so insurance carriers writing cyber insurance policies, and nearly all of those policies are issued on a surplus lines basis with potentially significant differences in policy wording from one cyber policy to the next.

Watch Out for Exclusions. Just like traditional insurance policies, cyber insurance policies can contain a broad range of potentially troubling exclusions. Agreement on the wording and scope is a critical aspect of the negotiation process. Given the dearth of case law on cyber insurance exclusions, policyholders unfortunately lack the benefit of precedent when assessing the boundaries of coverage. Some examples of cyber insurance battleground issues concerning exclusions for significant expenses are:

  1. Failure to Follow Minimum Required Practices. The first question after any data breach, posed by many interested constituencies (including customers, partners, employees, regulators and class action attorneys), is whether the cyber-attack occurred because of some sort of cybersecurity failure. However, despite the popularity of the Framework for Improving Critical Infrastructure Cybersecurity , released by the National Institute of Standards and Technology (NIST), no codified or judicially concocted cybersecurity standard exists. Hence, the adequacy of a company’s cybersecurity defenses is always a subjective determination and often involves “looking back” to cybersecurity technology used by a company at the time of the actual breach and assessing its adequacy. This sort of second-guessing and 20-20 hindsight can provide useful fodder for insurance companies seeking to avoid paying a claim. Along these lines, when a policyholder fails to “continuously implement” the security procedures and risk controls that it identified in its insurance application, an insurance company may argue the triggering of a “reps and warranties” exclusion.
  2. Act of War/Terrorism. Many cyber insurance policies contain exclusions for terrorism, “hostilities (whether war is declared or not)” and claims arising from “acts of foreign enemies.” In a car insurance or homeowner policy, an exclusion for acts of terror or foreign enemies may not seem important – or even relevant to any decision. But for cyber risk policies, these exclusions could pose a real problem. After discovery of a cyber-attack, digital forensic specialists and malware reverse engineers often will be asked to theorize as to the identity of a particular perpetrator of a cyber-attack, or even to construct a profile of the intruder. Sometimes, among the fragments, remnants and artifacts found in a laptop or server (including within deleted recoverable filesunallocated and slack space or the boot sector), evidence may point to a particular attacker or “cyber-gang,” and a data security incident may be deemed an act of state-sponsored terrorism. But these conclusions can be speculative and are only as good as the reputation and experience of the incident response team. Nonetheless, if, for example, a digital forensic specialist labels an APT attack as an act of terror, such labeling could trigger an “act of terror” exclusion. This question may be especially germane if the policyholder is in a key infrastructure industry, defense industry or technology sector.
  3. Third-Party Acts or Omissions. The third-party vendor sector has become one of the more prevalent attack vectors in recent cyber-attacks, yet some cyber policies might not cover acts and omissions by third parties or data in the custody of third parties. Nowadays, cyber-attacks also often result in disputes as to the culpability for an attack, with vendors and companies each pointing the finger at one another for their perceived respective cybersecurity failures. When a dispute arises between a company and its vendor with respect to culpability for a cyber-attack, an insurance company may wait until the dispute is resolved, because the outcome could trigger a “third-party act or omission” exclusion.
  4. Unauthorized Collection of Customer Data. Some cyber insurance policies contain exclusions for losses related to data collections, which were not authorized. Policyholders that gather information for consumer transactions, marketing purposes or as part of their core business model must gauge how an insurance company might use an exclusion for unauthorized collection to evade insurance coverage for a data security breach claim, especially if the policyholder is not meticulous about what data it collects; where data is warehoused; and how data is transferred.
  5. Retroactive Dates. Many polices include some sort of “retroactive date", which disclaims coverage for claims or loss in connection with breaches that occur prior to that date. However, when a company discovers a breach or is notified about a breach (e.g. by the U.S. Air Force or FBI, which is very often the case), the company often then discovers that the breach originally occurred long before (months, sometimes even years) If the retroactive date is relatively recent in time (perhaps even the date of policy inception), there is a risk of losing coverage for earlier-occurring breaches. Policy holders should carefully evaluate retroactive coverage options pertaining to undiscovered breaches occurring earlier in time.

Documentation.   Given that cyber insurance is only in its infancy, claims against such policies will have a higher rate of litigation than other more established insurance products. Thus, when a cyber-attack victim company has its first conference call with its insurance company adjuster, the adjuster might also add the insurance company’s litigator to the meeting. The litigator undoubtedly will follow up the call by sending a detailed letter of inquiry to the victim company, which will be more akin to a lengthy and comprehensive litigation discovery demand, rather than a simple request for information.

Whatever the type of cyber insurance held by a victim company, insurance adjusters will scrutinize all invoices pertaining to the data breach response workflow, requiring briefings and documentation regarding all investigative efforts. Along these lines, communication lines also should be established where a professional on the incident response team, preferably counsel, maintains carefully written documentation of all the response efforts. This helps later on when gathering the “documentation package” to present when seeking insurance reimbursement for the costs of the breach.

Digital Forensic “Panels”.   When negotiating for cyber insurance, some insurance policies will seek provisions mandating use of a specific “panel of digital forensic experts” (even if the victim company already has a prior existing relationship with a particular digital forensic firm). Companies should check carefully on the existence of that kind of provision; much like choosing one’s own surgeon for a heart procedure, a company will want freedom of choice when it comes to selecting a digital forensics/data breach response firm.

Final Thoughts.   To get the most out of cyber coverage, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular cyber risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.

Just like other kinds of insurance, cyber coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound cyber insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.

Read the first article in this series: Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm >>

Read the second article in this series: Cyber Insurance: Why Your Company Needs It >>

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement.  He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office.  Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.

The Cybersecurity Due Diligence Handbook

Publication Date*: 8/2/2016 Mailto Link Identification Number: 1240
material_search_footer*The Publication Date reflects the date of first inclusion in the Reference Library, which was launched on July 31, 2012, or a subsequent update to the material. Material may have been previously available on a different Nasdaq web site.
Page: 1 of 1
App Store       Google Play       Windows Store       Governance Clearinghouse RSS Feed
The Nasdaq Stock Market, Nasdaq, The Nasdaq Global Select Market, The Nasdaq Global Market, The Nasdaq Capital Market, ExACT and Exchange Analysis and Compliance Tracking system are trademarks of Nasdaq, Inc.
FINRA® and Financial Industry Regulatory Authority, Inc.® are registered trademarks of Financial Industry Regulatory Authority, Inc. OTCBBTM and OTC Bulletin BoardTM are trademarks of FINRA