NYSE Governance Services and Infosec company Veracode recently published results of a survey over of 276 board members titled "Cybersecurity and Corporate Liability". A massive 60 percent of the respondees who answered expect an increase for 2016 in shareholder lawsuits against companies due to cybersecurity issues. Four out of five respondents said they have, at some point, highlighted the issue of cybersecurity liability in boardroom discussions.
More important however, 89 percent of people who answered believe that businesses should be held liable for breaches if they do not make reasonable efforts to secure their customer data. And a whopping 90 percent agreed that third-party software providers should be held liable for vulnerabilities identified in their packaged software, (not that it's going to happen anytime soon with the current contracts in place).
But what constitutes reasonable efforts?
It depends. What industry you are in, how complex your organization is, your business model and the amount of data you store are all parts that influence that determination. However, more and more case law is being written with the large amount of data breaches these last few years.
Craig A. Newman, a partner with Patterson Belknap Webb & Tyler said: "Corporate leaders do not want their companies or brands hurt by the fallout from a major data breach. The headline risk alone—putting aside lost goodwill, consumer trust, market share, and financial standing—is staggering in many cases. That isn't a situation any corporation wants to find itself in. At its core, it's about risk management. No chief executive wants to be the next poster child for a major data breach."
Survey respondents indicated that they are also taking other measures, such as increasing audit committee and board-level oversight - a strategy that is in line with expert recommendations to make quarterly reports to the audit committee and annual reports to the entire board. Some directors and officers say they have increased security training for staff and are hiring outside consultants.
Insurance companies require that a company prove it had taken adequate measures to protect its data, before a payout can occur. The survey revealed that an increasing number of companies are preparing for this contingency, with 52 percent subscribing to employee/insider threat liability coverage and more than 35 percent seeking coverage against loss of sensitive data caused by software coding and human errors.
The research also shows that a large number of respondents believe increased cybersecurity liability will make businesses more accountable in exercising their responsibility to protect consumer data. More than 85 percent of respondents said that companies will increase their focus and spending on cybersecurity controls and training.
One of the controls to put in place is effective employee security awareness training, which combines on-demand web based training with simulated phishing attacks to keep users on their toes with security top of mind. Find out how affordable this is for your organization and be pleasantly surprised.