Cybersecurity: A fiduciary duty

The #CyberAvengers are: Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma & Christophe Veltsos

The recent WannaCry ransomware exploit brought into full view several factors that terrify many companies and their boards of directors. Why? Because these directors are charged with the fiduciary duty of overseeing the cyber risk preparations and defences of their companies for their shareholders.

In today’s environment, this presents quite a challenge for companies and boards alike. Security has always been a challenge because the defender must be right 100
per cent of the time and an attacker needs only one lucky shot. Effective cyberattacks can involve factors, such as:

1. A ‘zero-day’ or previously unknown software exploit (or vulnerability) that even advanced IT departments could not have reasonably planned for

2. An exploit that encrypts files when enabled or executed, and will not give the files back unless a ransom is paid

3. A public relations nightmare trying to explain to third parties, regulators (and in the case of WannaCry, hospital patients) why service levels dropped (i.e. evaporated) due to lack of properly segmented back-up recovery media and/or less than rigorous implementation of standard patches for older operating systems

WannaCry had all these factors, and more. First, even though WannaCry was thought to be a zero-day exploit, it was not truly unknown. It had been disclosed in March 2017 as part of a broader announcement of related exploits allegedly stolen from a US government agency. At that time, the software company involved (Microsoft) announced an emergency or ‘critical’ patch designed to fix the vulnerability that was ultimately exploited by WannaCry. A fix had been available for many systems in March 2017. Were all affected systems patched on time? Were all affected systems patched at all? We do not know for sure. The effectiveness of the WannaCry attack, however, gives a strong indication as to the answer.

Secondly, and much worse for the companies and hospitals involved, this was not the first ransomware attack of 2017 (or 2016) or cyberattack on hospitals. A Michigan State University report examined US Department of Health and Human Services data and noted that almost 1,800 cyberattacks occurred in hospitals across the US over a seven-year period. Ransomware, in fact, has established itself as the bane of corporations. According to the FBI, ransomware is reported to have caused losses in 2016 of close to $1billion. This plague has only increased and has prompted much research and writing on cybersecurity best practices (including by us) settling on, at the very least, one or more best practices designed to lessen (if not entirely mitigate) the effects of ransomware. No prudent, risk management-conscious executive or director could have been surprised by these broadly recommended best practices, nor by the more specific need for companies to have properly segmented back-up tapes, media or hard drives.

Despite this, WannaCry surprised people across a myriad of roles and responsibilities.  People were surprised that a simple patch existed that would have enabled companies to avoid the whole issue. Unfortunately, many were caught without back-up media. Serving on the front lines of the cybersecurity battlefield, we were not surprised, but were in fact saddened that WannaCry was so effective, unnecessarily. WannaCry could have been much, much worse.

How to tackle cyber threats

The purpose of this article is not to shame or call out any one particular company or hospital that was affected by WannaCry. The organisations that are bravely dealing with the aftermath of WannaCry have enough on their plates already.

Rather, we write from a different point of view, i.e. that of a board of directors or board of managers of a company that is charged generally with a fiduciary duty of overseeing the cybersecurity posture of a company or organisation. This duty is part and parcel of their duty to oversee the entire enterprise risk management as a whole. As board members, the duty of the directors is not to ‘plug into the computer network’ but to:

• Ask questions designed to bring out potential improvements
• Engage directly with cybersecurity resources inside the company
• Continuously review and improve cybersecurity policies and procedures within the company

This article provides ‘the questions’ that boards should ask regarding the prevention and mitigation of ransomware, as well as provide our suggested ‘right’ answers to those questions. We will leave it to the board members to exercise their fiduciary duty accordingly.

Rather than having a ‘direct’ role in the information technology affairs of a company,
a board has an ‘oversight’ duty. That means directors have a duty to (1) become reasonably informed about the company’s cybersecurity posture, policies and procedures implemented by the company’s senior executives, (2) ask questions of relevant personnel in the company (IT and executives) concerning the cybersecurity posture to see if those policies and procedures are being properly and effectively implemented, and (3) make suggestions or pose thoughts and ideas about how to improve this posture and the cyber risk culture of the company.

In a speech at the New York Stock Exchange on 10 June 2014, former Securities and Exchange Commissioner Luis Aguilar stated: “Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk and there can be little doubt that cyber risk also must be considered as part of boards’ overall risk oversight. The recent announcement that a prominent proxy advisory firm is urging the ouster of most of the Target Corporation directors because of the perceived ‘failure…to ensure appropriate management of [the] risks’ as to Target’s December 2013 cyberattack is another driver that should put directors on notice to proactively address the risks associated with cyberattacks.”

Cyber risk must now be viewed as an integral part of the overall enterprise risk management (ERM) framework for a board of directors and must be evaluated, documented and addressed/mitigated, according to the risk profile and economic realities of the company. Each company will have different economic constraints and a unique risk appetite. The exercise of evaluating the risk for the entity and coming to a decision about mitigation within an ERM framework is an essential part of the board’s fiduciary duty.

This fiduciary duty is extremely important (in the age of WannaCry and others). Cyberattacks not only cause costs and business disruptions, but also can cause negative publicity, reputational harm, litigation and regulatory proceedings, each of which negatively impacts the company or organisation involved. Examples of such high-profile cases in the United States are Target Corp, The Home Depot, and Wyndham Hotels. Though there is little case law in the area, courts in the US generally note the duty of a board member is ‘reasonable’ oversight. Not perfect oversight. Not flawless oversight. Just reasonable oversight.

The risk of cyber vulnerability

So, what is reasonable oversight? What questions should be asked to get the board there, especially in cybersecurity, where there is often no right answer (just multiple ‘less wrong’ answers)? The courts will ultimately decide what constitutes reasonable oversight. But in our view,  here is how an effective board director might be able to get to the right place and demonstrate his or her oversight was reasonable:

1. Get the cybersecurity policies and procedures of your company. All of them. Including training manuals. Read them thoroughly and become acquainted with them. Remember, if something goes wrong and your company gets hacked, some third party might say those policies were ill-advised, not enough, or just plain wrong.

2. Understand how your company or organisation is regulated and by which regulatory body. No two regulators are alike. There are material differences, especially between US and UK and EU regulators. Remember, regulators generally get involved when something bad happens and then look at things through a 20/20 hindsight view (which might not show a pretty picture). It is best to be proactive when it comes to cybersecurity.

3. Does your company perform employee training on a semi-regular basis (at least twice a year or more)? Does this training address email policies and social media sites that employees might visit? If your company does not, or performs training only when it is convenient, this area alone could be a ‘red flag’ to regulators.

4. Does your company have in place some sort of email ‘filtering’ system in order to reject any emails that might appear normal, but are actually sent from a spoofed or copycat address? In general, a company email address should be the only address used by company employees (and board members). Filters catch things which change the .com email address of a company in subtle ways to make it appear to be a legitimate email, when it is in fact very illegitimate.

5. When are critical patches and updates made to the network? Once a week, once a month? How quickly are critical or emergency patches made? 48 hours, 72 hours, two weeks, or longer? In general, critical patches should be made in 72 hours or less (e.g. WannaCry patch). Waiting too many days to make a patch effective could be your worst nightmare. Waiting months to make a critical patch effective might spell doomsday to your company.

6. Does your company have enough IT staff to handle not just security alerts that need to be investigated, but also handle patching, applications, the Cloud, and a host of other daily jobs that need to be performed? The lack of skilled cybersecurity workers in the US and UK is critical at this moment, and many companies are simply unable to hire as many people as they need, or as many skilled IT executives they need at a reasonable price. Now is not the time to have an understaffed IT department and there is nothing worse than having an understaffed IT department in a company that gets hacked. There are solutions for this, like managed service providers, and machine-learning driven cybersecurity orchestration and automation solutions. But you need to find the staffing answer first. Then, seek out the help of professionals if necessary.

7. What is your company’s password policy? Is it complex enough, with both letters and numbers and symbols, or can a password, such as ‘password’ or ‘0123456’ be held as sufficient? The answer to this question will be self-explanatory. Complex is good. 0123456 is bad. And ‘P@$$w0rd2017’ is almost as bad as ‘0123456’ as it will be one of the top 100 passwords tested by attackers.

8. Finally, what is your company’s back-up procedure and what back-up media are used by your IT department? This is a more complex question, but the generally rule is ‘back it up’ daily in at least three places: on site, off-site, and in the Cloud. Back-up solutions (which are relatively inexpensive and plentiful for both networks and desktops) should be enacted on a segmented basis, meaning that following the back-up they should be taken off-line and disconnected from the network so an encryption exploit cannot get to them. Remember, this is not like the old days where back-ups were few and difficult to employ. Major companies, such as Amazon (for the Cloud) and Carbonite (for smaller organisations) exist and can train your IT employees to become not only proficient, but fanatical about your company’s back-up policies and procedures.

Everyone is a target

Several factors existed in WannaCry that made us sad and all factors relate to the above questions we are asking you to consider: (1) improper or insufficient patching, (2) aging network architecture which was susceptible to ‘not’ being patched or not having patches readily available, and (3) insufficient back-ups. Unfortunately, each of these factors were and are, for the most part, entirely preventable or fixable at a reasonable cost. Yet they were not.

Why? We don’t know. Is cybersecurity ‘an enigma shrouded in mystery’? Is cybersecurity too hard to understand by most people? Are companies not investing enough in cybersecurity? Do companies think they are simply too small and thus ‘not a target’? We don’t know, but each of these questions begs the following answer: if your company has data that is valuable or computer hardware that is critical to running its business, it is a target. And, even if your company simply sends a lot of email and has employees, it is still a target. Simply put, everyone and every company is a target.

About the Authors:

Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Mr. Ferrillo regularly counsels clients on cyber-governance best practices (using as a base the NIST cybersecurity framework), third-party vendor due diligence issues, cybersecurity regulatory compliance issues for private equity, hedge funds, and financial institutions that have been promulgated by the SEC, FINRA, the FTC, and the FDIC/OCC, the preparation and practicing of cybersecurity incident response plans, as well as evaluating and procuring cyber-liability insurance to protect against losses suffered by companies as a result of the theft of consumer or personally identifiable information, or as a result of the destruction of servers and corporate infrastructure.