Publications

Several high-profile cybersecurity incidents in October and November of this year and the federal government’s recent proposal for a national “Cybersecurity Framework” for both the public and private sectors highlight the need for companies to develop or update their cybersecurity programs. An effective cybersecurity program should include initial and ongoing cyber risk assessments that inventory the company’s critical proprietary and sensitive data and take into account business objectives, information management processes, and board and executive oversight.

The High Cost of a Cyber Attack

A report released this year by the Center for Strategic and International Studies pegged the upper range of the cost of cybercrime to the U.S. economy at between $70 and $140 billion annually. Cyber-related incidents are so costly in large part because attackers are increasingly targeting more than just customer credit card and password information. Attacks now routinely target a company’s intellectual property, the destruction or theft of which may affect the company’s basic ability to compete. Further, when a data breach occurs, a company often finds itself the target of costly legal actions brought by regulators, shareholders, and aggrieved customers.

The October 2013 mega-data breach at digital media provider Adobe Systems, Inc. is a well-publicized example of a cybersecurity failure resulting in the loss of both massive amounts of customer data and the company’s own intellectual property. Adobe has indicated that hackers stole the source code to some of the company’s best-known products, as well as millions of customer records—many of which included a user name and associated password. While the total cost of the cyber breach to Adobe and its customers remains an open question, Adobe already has been served with a lawsuit stemming from the incident. On November 11, Adobe customers filed a class action complaint against the company based on violation of California’s Unfair Competition Law and Data Breach Act; the complaint included additional causes of action for, among other things, breach of contract and breach of the covenant of good faith and fair dealing.

Cyber risk is not limited to companies managing and storing millions of records or source code. A recent data breach study found that businesses with less than 100 employees comprise almost one-third of confirmed data loss incidents. As hacking tools have become more powerful, they also have been simplified, allowing larger numbers of unsophisticated attackers to inflict a surprising amount of damage on unprepared businesses. This makes firms managing even a relatively small amount of records more vulnerable to attack. For example, a 2013 study by the Ponemon Institute examined the cost of data breaches where less than 100,000 records were compromised. The study concluded that the average cost to a U.S. company of each breached customer record in these instances is $188 (which translates, for example, into almost $1 million for 5,000 records). This figure accounts for both direct expenses, such as the provision of free credit monitoring subscriptions, and indirect expenses, such as customer turnover. This research illustrates that even a loss of a few thousand records exposes a company to a potential loss of hundreds of thousands of dollars.

Despite Growing Risks, Businesses are Underprepared

Despite exposure to this risk, many U.S. businesses appear surprisingly underprepared to raise a sufficient cyber defense. This may be due in part to a lack of understanding of the cyber risks that companies face. In turn, this lack of understanding may weaken an organization’s ability to create a culture that rewards behavior favorable to a strong cybersecurity posture.

Recent research suggests that both chief executives and members of the board need to improve their understanding of cyber risk. For example, corporate boards do not appear confident that their chief executives understand the cyber threats their own companies face—only 49 percent of surveyed directors felt that their CEO had a strong understanding of cybersecurity. Research data suggests that board members, too, lack a sufficient understanding of cybersecurity risk. A 2012 Carnegie Mellon CyLab study found that 81 percent of North American boards rarely or never review annual budgets for privacy and information-technology security programs, 67 percent rarely or never review and approve roles and responsibilities of personnel responsible for privacy and security risks, 56 percent rarely or never review top-level privacy and security-risk policies, and 37 percent rarely or never review security program assessments. And the survey revealed that nearly one quarter of board members rarely or never receive reports on security breaches or loss of data.

The failure of a company’s executives to understand and fully appreciate cyber risk may lead to a lax security culture that permits poor security choices by employees engaged in routine business operations. For example, employees should be aware that wireless zones in public areas are prime areas for third parties to intercept unsecured data transmissions, and so employees should be trained to avoid such situations. Similarly, a laptop or mobile device left accidentally on a train by a careless employee can instantly morph from a minor inventory loss into an existential threat to the business if the device contains unsecured sensitive data. Employees should be trained regularly on the danger to the business of such mishaps, how to prevent them, and to report such incidents immediately should they occur.

The risk of loss from an unsecured mobile device has been exacerbated over the past few years by corporate bring-your-own-device (“BYOD”) policies, which allow employees to use their own mobile devices for both personal and business use. While popular with employees, these BYOD policies make it difficult for companies to implement security programs agile enough to keep up with the rapidly evolving technology found in the latest smartphones and tablet devices.

Preparation and Training Mitigate Cyber Risk

Although the cost of a cyber attack can be staggering, a company with a strong security posture and an incident response plan may be able to reduce the cost of an attack significantly. According to the Ponemon study, a U.S. business with a strong security posture can reduce the cost of a breach by up to $34 per record, and a business that implements an incident response plan can reduce the cost of such an event by as much as $42 per record.

These figures make sense—during a cybersecurity incident, the absence of a documented plan will increase the chaos confronting the corporate leadership team and harm its ability to respond effectively and efficiently to the unfolding crisis. For example, without a documented information security plan, executives will have no guidance to help them determine which organizations and individuals should be contacted and in what order. A properly prepared plan will help executives balance demands from the company’s board of directors, the press, shareholders, customers, regulators, and law enforcement against the company’s ability to fully understand the nature of the breach and to prevent the loss of additional information.

A company’s security program also should help its executives implement and enforce security processes and policies that ensure personally identifiable information (“PII”), such as bank account information, customer records, or social security numbers, is properly secured. Such measures should address not only PII in electronic communications sent outside of the company, but also PII contained within intra-office email that a hacker quickly could access after infiltrating a company’s network. Similarly, an effective information security program will limit the data a business stores on the corporate system to that which is actually needed and require deletion of the data when there is no business or legal need for it.

Further, as state and federal regulators scrutinize corporate cybersecurity policies more closely, companies should be prepared to provide evidence that they have (and are using) an information security program. Failure to have such a program in place may increase corporate liability and in some business sectors (e.g., financial services, healthcare) is already a potential statutory or regulatory violation.

Clear and Present Danger

Ultimately, cybersecurity attacks are an unfortunate and costly part of doing business today. As the Financial Services Roundtable (“FSR”), American Bankers Association (“ABA”), and Securities Industry and Financial Markets Association (“SIFMA”) recently expressed in a joint letter to the U.S. Congress, cyber attacks are a “clear and present danger.” While a business cannot prevent every cyber attack, it can reduce its exposure and mitigate this risk by taking certain precautions. At the most basic level, such precautions should include conducting a thorough risk assessment, cultivating a culture of cyber risk awareness—up to and including the highest members of the company and the members of its board—and implementing a comprehensive written information security program and related employee training.