Top 10 Topics for Directors in 2017: Cybersecurity

1. Ransomware. In the first quarter of 2016, phishing email campaigns pushing ransomware increased by almost 800 percent compared to the last quarter of 2015. The FBI estimates that reported ransomware attacks cost their victims a total of $209 million in the first three months of 2016, but when accounting for unreported incidents and lost productivity, one estimate shows a financial impact of $75 billion annually. Ransomware attacks follow a similar pattern: a virus is downloaded by an employee and encrypts a company’s data; then, a message appears demanding a ransom, often in bitcoin, ranging in value from a few hundred to millions of dollars—if the ransom is timely paid, then the information is restored.
2. Cybercriminals have weaponized the Internet of Things. Cybercriminals have diversified their targets, with a large percentage of all targets being user devices and individuals. As more information is stored on smartphones and as more devices connect to the Internet through the expansion of the Internet of Things (IoT), cybercriminals have hacked these devices to obtain information, as well as use them as weapons. The October 21, 2016, Dyn attack revealed this vulnerability. The attackers used malware to take control of hundreds of thousands of devices across the country—printers, baby monitors, Apple TV devices, etc.—and used these to begin a distributed denial-of-service (DDoS) attack on Dyn, a DNS provider that links a domain name to its corresponding IP address (i.e., you type in amazon.com, and it sends you to the Amazon IP address). As a result, websites across the country and around the world—including those of Amazon, CNN, BBC, HBO, PayPal, Pinterest, Spotify, Walgreens, The Wall Street Journal and many others—shut down for hours. We anticipate that attacks like these will continue to rise.
3. Increased regulation at home. U.S. regulators have recognized the growing importance of cybersecurity, and there is no shortage of pressure on directors to get this right. The New York State Financial Services Department led the way in creating a more prescriptive cybersecurity regulation, to be effective in January 2017. Other regulators have also continued their enforcement activities. The Federal Trade Commission (FTC) has prosecuted more than 50 enforcement cases for data security issues. The SEC has emphasized the critical risk presented, as outgoing U.S. SEC chair Mary Jo White commented, “Cybersecurity is one of the greatest risks facing the financial services industry.” The SEC continues to focus on investment advisors and broker-dealers, with enforcement actions for failure to safeguard information. The Yahoo data breaches may also provide a baseline for the SEC’s investigation and enforcement of disclosures from public companies regarding data breaches, with calls for a formal investigation from the Senate.
4. Increased regulation abroad. Data transfer to the EU continues to be challenging. With the overturn of the U.S.-EU Safe Harbor by the Schrems decision, companies turned to model clauses/contracts to transfer data. In 2016, Privacy Shield—the successor framework to Safe Harbor—went into effect, providing additional procedural protections for citizens of EU member states. Privacy Shield has already been challenged by privacy advocates in Europe and will continue to face significant legal challenges, particularly in light of concerns regarding President-elect Trump’s protection of privacy, so its future remains unclear. Data transfers between the U.S. and the U.K. also faced concerns after Brexit, but it is likely that the U.K. Data Protection Authority will follow the Privacy Shield framework. The EU’s General Data Protection Regulation (GDPR) provides material changes to the data protection framework in Europe. The GDPR was finalized in 2016 and becomes finally applicable in May 2018. Unlike the predecessor EU Directive, it applies to organizations based outside of the EU if they process personal data of EU residents. The GDPR includes mandatory data breach notification requirements, “privacy by design,” appointment of a data protection officer and rights to erasure, with severe penalties for noncompliance of up to €20 million or 4 percent of worldwide turnover (whichever is higher). Multinational companies have significant work to do to comply with the framework by 2018.
5. Employees as assets to combat cyber risks. With experts estimating that 90 percent of all data breaches are caused by people, it is easy to view a company’s employees as its biggest threat. The sophisticated use of phishing, spear phishing, personal email, device loss, improper cloud storage and the intentional use of information for profit, sabotage or revenge threatens every company. In 2016, the Internal Revenue Service was forced to issue a special alert warning of W-2 tax fraud phishing schemes, with agents reporting hundreds of compromised companies daily in the first few months of the year. Despite this, employees can become a company’s biggest asset. Providing advanced cybersecurity training, running phishing exercises and building a top-down culture of cyber awareness can be the best detection device and countermeasure against cybercriminals.
6. Checklist for directors. Directors should continue to keep cybersecurity at the top of the agenda by doing the following:
   • establish a clear governance structure for cybersecurity 
   • analyze top risks facing the company and changing threats  
   • review the incident response plan and ensure retained cybersecurity legal advisor and forensic team
   • review the existence and testing of a disaster recovery plan to minimize ransomware threats
   • conduct annual tabletop exercises to practice incident response and ensure coordination across departments
   • provide regular reports to the board with clear cybersecurity dashboards evaluating key audit and compliance metrics; outstanding high-risk findings from prior assessments; benchmarking against established cybersecurity framework such as NIST (National Institute of Standards and Technology) or ISO (International Organization for Standardization); and provide an overview of cybersecurity operational metrics
   • monitor director communications over the Internet and leave all devices outside of the boardroom when sensitive information is to be delivered
   • perform a legal update on regulatory risks and new requirements
   • update vendor access and compliance plans
   • review insurance coverage in the event of a cyber incident

View the full report here.