9 Out of 10 Respondents Believe Regulators Should Hold Businesses Liable if They Don’t Make Reasonable Efforts to Secure Data
BURLINGTON, Mass. – November 5, 2015 – CA Veracode, a leader in protecting enterprises from today’s pervasive Web and mobile application threats, today issued findings from a joint NYSE Governance Services/CA Veracode survey of 276 board members revealing how cybersecurity-related corporate liability is being prioritized in the boardroom. Nine out of 10 of those surveyed believe regulators such as the Federal Trade Commission (FTC) should hold businesses liable for cyber breaches if due care has not been followed, and more than 50 percent expect investors to demand more transparency as a result of the increased public focus on cybersecurity liability.
Pressure is building for boards and management teams to be especially wary of any corporate behavior that can impact their brand and erode shareholder value. In fact, according to Forrester, 88 percent of the S&P 500 market value consists of goodwill and intangible assets such as reputation, brand, innovation, processes, know-how and customer experience.[i] Further, security is now the second leading risk to a company’s brand – behind ethical issues and ahead of traditional risks related to safety, health, and the environment.[ii] It should come as little surprise that legal risk related to cybersecurity is a major concern for corporate directors, especially as businesses of all kinds increasingly rely on the digital domain to drive competitive differentiation and growth.
Threat of Legal Action Due to Breaches
The onslaught of high-profile cyberattacks is expected to lead to an increase in legal actions regarding who should be held liable in case of a breach. Three out of five respondents foresee an increase in shareholder lawsuits as a result of heightened corporate liability due to cybersecurity issues. Nearly 50 percent who knew of the FTC’s lawsuit against a major hotel chain said the case has influenced their executive discussions on cybersecurity liability. In the case, a Federal Appeals Court recently ruled that the FTC can pursue the defendant for failing to employ reasonable data security measures, such as using vulnerable out-of-date software.[iii]
Further, 90 percent of respondents feel third-party software providers should bear legal liability when vulnerabilities are found in their packaged software. This is particularly relevant because, according to CA Veracode’s 2015 State of Software Security Report, nearly three out of four enterprise applications produced by third-party software vendors contain vulnerabilities listed in the OWASP Top 10, an industry-standard security benchmark.
Preparing for Increased Cyber-Related Liability
Key questions raised by the survey highlight the debate needed to frame the liability issue. For example: When should a company be considered negligent in its processes—or lack thereof—for securing sensitive information? What constitutes ‘reasonable’ efforts to address vulnerabilities in web and mobile applications, libraries and frameworks, and other components in its digital infrastructure? Should companies be held liable for not finding a common and easily-found vulnerability such as SQL Injection? Is it a minimum ‘standard of due care’ to patch widely-known vulnerabilities such as Heartbleed, and should businesses be held liable for failing to do so?
While 94 percent of respondents have increased or are planning to increase their security assessments to address liability concerns, two-thirds of respondents say they have also begun or are planning to insert liability clauses into contracts with their third-party providers. Respondents also mentioned hiring outside consultants as well as ramping up security training. Many are also increasing audit committee and board-level oversight – a strategy that’s in line with expert recommendations to report on the businesses cybersecurity measures to the audit committee,[iv] and to the full board on a regular basis.
Is Cybersecurity Insurance the New Driver for Minimum Security Practices?
A majority of companies now have cybersecurity insurance—a market set to triple to about $7.5 billion in the next five years[v]—mainly to mitigate financial losses brought forth by liability claims. Of those with insurance, 35 percent currently insure against software coding and human errors that can lead to loss of sensitive data. While insurance is an important mitigation step to mitigate cyber risk, it is insufficient on its own to protect against the full impact of a breach including brand damage and loss in shareholder value.
“Just as the evolution of fire insurance drove the creation and enforcement of minimum standards in the way buildings are constructed and protected, cyber liability insurance is set to soon create a new baseline for cybersecurity best practices,” said Sam King, chief strategy officer, CA Veracode. “As insurance providers tighten requirements for claims payouts, companies will be forced to meet a minimum standard of acceptable practices, thereby improving their overall security posture. Boards would be wise to hold their companies to account to focus on and understand their cybersecurity risk thereby setting an urgency around the issue to prevent brand damage and loss in shareholder value.”
The joint NYSE/CA Veracode white paper with more detailed statistics and conclusions from the survey can be found at https://info.veracode.com/whitepaper-nyse-cybersecurity-and-corporate-liability-in-the-boardroom.html. An infographic based on the findings can also be downloaded here https://www.veracode.com/blog/2015/11/cybersecurity-and-corporate-liability.
The NYSE-CA Veracode “Cybersecurity and Corporate Liability: The Board’s View” survey was conducted electronically over the course of four weeks in September and October 2015. All of the 276 respondents are board directors or senior executives of public companies.