Private Equity Direct - Feb 2011 - Boards: Prepare to Counter Cyberattacks

No company is exempt from potential cyberattacks. The United States government is no stranger to cyber threats and Director of National Intelligence Dennis Blair believes the government's efforts to defend the country against cyberattacks are "not strong enough."

A breach in security can result in operational and reputational risks, as well as government regulatory sanctions if proper procedures to safeguard and protect sensitive information are not created and filed properly. Attacks at companies such as Victoria's Secret in 2003 and TJX, parent company of discount retailers TJ Maxx and Marshall's in 2007 and, in 2010, a hijack of more than 75,000 computer systems at nearly 2,500 companies in the U.S., including Google, showcased some of the most sophisticated attacks by cyber criminals to date. TJX suffered immense reputational blows after the company failed to acknowledge the severity of the problem and did not quickly communicate with customers whose personal information was stolen. The fallout from the TJX incident is a prime example of why companies need to carefully compile a plan-of-action and prevention. As the government continues to struggle, directors must take care to ensure their company has proper privacy and data security precautions in place to both protect and provide a plan of action should a cyberattack occur.

According to the Federal Cyber Security Outlook for 2010 by Lumension Security and Clarus Research Group, 69 percent of approximately 200 respondents indicated that while the overall state of their IT security improved in the past year, nearly 21 percent indicated that their companies made no changes to their level of compliance. Fifty-seven percent of respondents reported that the biggest obstacle in meeting federal compliance regulations was having the resources available (skilled personnel, bandwidth, budget). Overall, respondents were less confident in their IT security situation, with the majority voicing that that preventative measures, such as firewalls, anti-virus and anti-malware, vulnerability assessments and IT governance and risk compliance measures, should increase in the coming year.

Taking the First Step

Boards must insist that they are informed about and understand the company's legal compliance policies and vulnerabilities, says Alan Charles Raul, a partner at international law firm Sidley Austin LLP, where he specializes in privacy and data security practices. "The board should understand the company's important information access and exposures—whether that be consumer names in its database, employee personal information or intellectual property protection," Raul says.

To know what precautions are necessary to safeguard valuable information, boards can recruit members with an IT background. "Boards need to have IT experts—they're still looking at the same skill sets they did 75 years ago," says Jody R. Westby, CEO and founder of Global Cyber Risk LLC in Washington D.C. Westby believes boards need to first reevaluate the skills they are seeking in potential board candidates, as well as receive regular reports from their IT and security departments.

Westby says only a small percentage of boards have risk committees—and often times the audit committee takes responsibility for privacy and data security issues. Westby argues that the board should have a specific person or risk committee dedicated to ensuring that the CIO budget is adequately funded and reflected on a situation where a $15 billion company instructed their CIO to "go buy some insurance" in lieu of conducting a privacy and data security plan of action. "Boards provide oversight—but they need to have top-level people in place to make sure policies are properly vetted and reviewed," Westby adds.

Know the Rules

There are two types of privacy statutes, according to Keith Hochheiser, an attorney at Ettelman & Hochheiser, P.C. A breach notification statute applies if a company is maintaining personally identifiable information. If it's breached—something as simple as a stolen computer can make a company vulnerable—employees must be notified immediately. The second statute is more comprehensive; it indicates that a privacy policy must be located on your website. A firm must internally write a procedure and comply with the statute and audit it manually. "If your company is not complying, one could argue that the board has a legal obligation because they should have been aware," says Hochheiser. "Directors could be considered liable and sued as a result."

Directors must guide management to instill a privacy compliance program that will protect investors as well as themselves, adds John Fodera, a partner at Eisner LLC. "Management is responsible for compliance programs, but directors should make sure they are meeting objectives," Fodera says. Oftentimes, a firm has operations spanning multiple of states and countries. "Boards must have an understanding of not only the state requirements, but potentially those related to operations abroad," says Fodera. "Depending on where you are doing business, you need to comply with state or country privacy requirements—it's not a level playing field."

Operational and Reputational Risks

Cyber security efforts are integral to both private corporations as well as the economy as a whole. "Cyber criminals are trying to exploit weaknesses in corporate databases—the magnitude and grave risks associated with these attacks should have boards on alert," Raul says. "No one company can take responsibility for the overall computer networks of a country. But the government has alerted the private sector that each company has a responsibility to help protect the cyber networks on which the entire economy is built."

The theft of intellectual property and personal information can cause irreparable damage to a company's reputation. Hochheiser reflected on an instance where an employee left a firm, but still had access to customer information. The company discovered that the former employee was contacting customers using this personally identifiable information and the New York Attorney General came in and discovered there were no policies in place. The firm then had to reassure customers that procedures would be put in place to prevent future incidents.

"But having policies in place isn't enough," Hochheiser warns. He noted that another firm had a privacy policy in place, but no procedure. As a result, when a computer was stolen, the business had no way to back up its privacy policy—which resulted in fines because the attorney general viewed the firm's policy as deceptive. "A big mistake is that companies use really aggressive policies, implying that they are nearly invincible—and aren't able to live up to it," Hochheiser says. "That's a deceptive business practice and you will be fined for it."

As long as companies have a realistic policy in place and annual audits of those policies and procedures—taking care to bring in an independent third-party consultant—courts have shown that such actions will demonstrate that your firm has made reasonable efforts to prevent and deal with a breach in security. Boards must recognize that threats to cyber security are just as detrimental, if not more so, as someone breaking into company headquarters. Competitive and sensitive information could be stolen for months or years before being discovered if the proper safeguards are not in place.

Private Equity Direct - February 2011 Issue 

Have Questions or Comments?

If you have any questions about this media item, we'd like to hear your opinion. Please share your thoughts with us.

Contact EisnerAmper

* Required