There is a whole universe of potential cyber risk not understood at a board level, and company directors must wake up to cyber threats or risk litigation from all sides.
I recently took part in a panel discussion running a compare and contrast session between the U.S. and the rest of the world on cyber risk disclosures. This was part of a wider Advisen Cyber Liability Insights Conference hosted at The Willis building in London.
SEC Guidance is a Wake-up Call
In October 2011 the Securities and Exchange Commission (SEC) broke new ground by issuing guidance in response to concerns that it was hard for investors in public companies to assess securities risks run by those companies if they failed to disclose data breaches in their public filings. The specific disclosure areas addressed were:
- Pre-attack exposure analysis
- Cyber incidents
- Exposure to the firm in description of business
- Legal proceedings
- Financial statement implications
Whilst no one on the panel (myself included) was aware of similar guidance anywhere else in the world, there was a surprising consensus on the question as to the nature of the risks and dilemmas posed to board directors as a result of serious data breaches. The SEC guidance simply highlights those risks.
Implications of SEC Guidance for Other Jurisdictions
The starting point is the same as it is in relation to any other form of significant business risk, i.e. directors are generally under a duty to gain a basic but sufficient understanding of the nature of all such risks. The need to gain this understanding is a key aspect of directors’ supervisory function which the courts (certainly in the UK) have repeatedly said may not be delegated.
In the realm of cyber risk the particular challenge for boards is that the universe of potential cyber risk is broader than it is in relation to many more tangible risks such as health and safety.
Depending on the nature of the company’s activities, serious data breaches can occur either through basic human error and/or as a result of sophisticated hacking activity.
Disclosing Cyber Security Exposures
Nor are the problems and threats faced by companies and their boards restricted to identification of the breach. The dilemma is what to do with that knowledge. On the one hand (as the SEC guidance makes clear) there are perils associated with non disclosure, but on the other hand, there are risks associated with exposing and disclosing cyber breaches without having first fixed the problem.
A company would not wish to provide an invitation or route map to other hackers to have a go. That in itself could lead to additional reputational damage and destruction of shareholder value. Whilst this dilemma is and remains particularly acute in the United States (and the SEC guidance underlines this), the basic threat and the various conundrums which it poses remains the same for directors everywhere.