Corporate boards are bracing for lawsuits and increased government regulation related to cyber incidents such as hacks and data theft, according to a survey conducted by New York Stock Exchange (NYSE) Governance Services and the security firm Veracode.
The survey of 276 directors and officers at publicly traded companies found that corporate boards of directors revealed strong support for greater corporate accountability for issues related to cyber security and cyber risk and said that they were preparing for an increase in lawsuits and regulations linked to cyber security.
The survey was an effort to determine how corporations are thinking about cyber security and cyber risk at the “highest level,” said Chris Wysopal, the Chief Technology Officer at Veracode. “At a senior management level and board level, corporate liability comes into play. This is a true, company wide cost,” he said.
If cyber risk and liability have been back burner issues in recent years, they have been moved to the front burner by incidents like the massive retail sector breaches at Target and Home Depot as well as the devastating hack of Sony Pictures Entertainment. The result: surveyed corporate boards are taking a dim view of companies that don’t protect their digital assets. Among the more notable statistics: 89% of surveyed directors and officers said that a company that does not make reasonable efforts to secure its data should be held liable by regulators, while 90% agreed that third-party software providers should be held liable when vulnerabilities are found in their packaged software.
Surveyed board members also said they are making plans to insulate their company from cyber liability, including the risk posed by deficient third party software. Almost two-thirds (65%) of respondents reported that they have already begun or are planning to insert liability clauses into contracts with their third-party providers.
“Companies realize that they inherit a lot of risk from third party software,” said Wysopal, whose firm tests the security of software applications on behalf of companies. “They want to get an understanding of how to mitigate that risk.
Cyber insurance is one way to do that, and companies reported in the survey that they were expanding their insurance coverage. More than 90% said they subscribed to business interruption and data restoration protection, and more than half (54%) have also chosen coverage for expense reimbursement for penalties such as Payment Card Industry (PCI) fines or state-level rules calling for breach remediation and notification.
Greater scrutiny by insurers is also spurring further investment, as companies adopt employee and insider threat liability coverage or liability protection for lost data that is the result of software coding or human error, the survey found.
“Companies realize that they have a lot of risk from third party software,” said Wysopal. “They want to get an understanding of how to mitigate that risk.” Still, Wysopal said the science of understanding cyber risk is still young. “What is the due care for maintaining software?” Wysopal asked. “We don’t really know.” Compared to the insurance market’s understanding of risks related to transportation or manufacturing, the understanding of risks related to software production and maintenance are hazy at best. “We have best practices like the secure development lifecycle that Microsoft put forward,” he notes. “So maybe if you do that you’re exercising due care. But does that mean that if there’s a bug you don’t have to address it because you’ve already shown due care,” he wondered. “We just have to see how this will evolve.”