Article
Source: National Association for Corporate Directors
Article
By Brian E. Finch,
10.02.14
This article was originally published by the National Association for Corporate Directors on October 2, 2014.
There is no shortage of advice on cybersecurity measures available to corporate directors. What’s missing from many discussions about cybersecurity however is an exploration of what measures are available to minimize a company’s exposure to litigation and financial loss in the aftermath of a cyberattack. This is due in part to the fact that, as of this writing, there is no established cybersecurity baseline directors can point to in order to demonstrate that their actions were reasonable or in line with a standard of care. Fortunately, there’s the SAFETY Act, a federal safe harbor law administered by the Department of Homeland Security that can establish a record of appropriate cybersecurity measures, thereby relieving many concerns associated about whether a company is doing enough to protect itself from cyber threats.
Under the SAFETY Act, a company that sells or deploys cybersecurity products or services for its own use can, upon demonstrating that the product or service is effective against cyberattacks, potentially receive two types of liability protection:
The protections are obtained by submitting an application for a SAFETY Act award to DHS, and can attach to a wide variety of cybersecurity policies and products. Most importantly, the SAFETY Act is the only law in existence today that can proactively limit the fallout of lawsuits arising from cyber-attacks.
Beyond helping establish that the security measures taken by the company were reasonable or that due care was exercised, the SAFETY Act also provides an excellent argument against personal liability for directors and officers. Pointing out that the federal government reviewed the company’s cybersecurity measures and deemed them effective helps directors demonstrate that they exercised due care in their oversight of the company’s cybersecurity program and in mitigating potential litigation in the wake of a cyberattack that could result in a potentially large losses to shareholders.
Here are three key ways directors can ensure the wise use of the SAFETY Act:
Remember too that the SAFETY Act fits together nicely with cyber insurance. Cyber insurance is important with respect to recovering losses from an attack. However, the global capacity for cyber insurance is very limited—somewhere in the billions of dollars, albeit on the low end—and individual companies can typically obtain no more than $350 million in coverage. Considering that the costs of retail data breaches may exceed $1 billion, that amount seems paltry. So, while companies should buy cyber insurance, they cannot rely on it to fully compensate them, much less set an actual cap on potential losses.
For whatever reason, we seem to have adopted a “blame the cyberattack victim” mentality. Several shareholder suits brought against directors following high-profile cyberattacks confirm that notion—and more litigation will inevitably follow. As these cases are just starting to play out in the courts, it’s anyone’s best guess as to how the judges will rule.
Directors have to do everything they can then to show that they exercised due care and took all reasonable measures against cyberattacks to preserve shareholder value, and there is no better way to do so than by using the SAFETY Act along with cyber insurance to limit or eliminate liability.
Download now: How Directors Can Mitigate Cyber Risk with the SAFETY Act