John SkogerboeFINC 418-010

December 8, 2016

Corporate Cyber Insecurity

1

At their disposal, consumers can pull out their androids, iPhones, or other smartphones

and immediately have access to over a million consumer products. With all of the advances in

technology, consumers are more connected than they have ever been before. Not necessarily

connected to each other but in a sense connected to their products such as Facebook, PayPal,

Venmo, banks, technology companies, email services, and the list continues. The information

age has brought monumental change to our society and economy at large. With advances in

technology, consumers can now choose to place their private data such as credit card numbers,

social security numbers, bank account numbers, other personal information to corporations in

exchange for their services. Thirty years ago in order to pay back a friend for a late night dinner,

the only option was to go to an ATM to withdraw cash. Through companies that offer services

for online transactions such as Venmo, instead of a 30-minute walk to the nearest ATM to

withdraw cash, you can now pay that friend back within seconds. The only cost is when a

customer transfer money to your actual bank account it will cost a small commission fee.

However, there is an additional hidden price that a customer does not initially consider when

placing their personal information in the hands of a company: security.

2

When a consumer voluntary places personal information into the hands of a business,

there is a duty of care that the company must fulfill for the consumer: provide them the service or

product requested, and make sure that their privacy is protected. Most importantly, however,

corporations have a duty of care and loyalty to their shareholders. Although a shareholder may

not necessarily be a customer of a company, they should still be concerned with the security of

their company’s assets. Corporate governance in America is proof that capitalism works. Our

systems of inflows and outflows of capital are the most efficient in the world. This is also

evident because the United States has the second highest economy in the world. Capitalism’s

success is shown through our country’s leaders in public and private sectors. Corporations are

the backbone of America. They generate equity for shareholders to invest therefore stoking the

flames of capitalism. Corporate boards have evolved from stagnant, management-dominated to

lively, independent boards. Corporate directors now hold a substantial amount of company stock

to better align their interests with the long-term goals of the shareholders. The proper oversight

of management ensures that business decisions are made in good faith, informed, and rational

decisions.

3

Yet, even with all these significant progress in corporate governance, there are still

obstacles towards improvement. The most important obstacle that needs to be curtailed is the

threat of cyber security breaches. Cyber security breaches will continue to pose a significant

threat to corporations and are going to be a destructive force of shareholder value as information

technology continues to grow rapidly. Through government, and firm-level efforts, increases in

cybersecurity measures do not necessarily reduce cyber risk systematically. However, I believe

making corporate boards more informed, resourceful, and insightful regarding cyber security

will have a more efficient and stronger impact on cyber security than government and

management efforts.

Cyber security breaches are breaches of a public or private firm’s internal networks.

Once a computer hacker breaches a firm’s cybersecurity, they have the potential to steal valuable

inside information and personal information. Due to this problem, the government and US

corporations are reacting. This trend of activism from the government towards cyber security is

increasing the likelihood of change in the regulatory environment and firms must take into

account these incoming shocks. The reaction from corporations is similar. A 2015 survey by the

NYSE found that “More than 80% of directors say they discuss cyber security at most if not

every meeting”(RANE).

4

Although the government and corporations are making efforts, the progress is minimal.

The only legislation congress has passed is the 1986 Computer Fraud and Abuse Act. All other

proposed pieces of legislation have not succeeded. Moreover, previously stated, of the same

80% of directors who say they discuss cyber security at most if not every meeting, “66% still

lack confidence in their company’s ability to protect itself against hacking”(RANE). Comparably

speaking, every eight out of ten directors discuss cyber security but only six of those eight

directors are confident in the firm’s ability to protect itself. It is like telling all of your family that

you are getting married but only half confident it is actually going to ultimately happen. A

director’s duty is to act on behalf of the shareholders and bring in resources to help them gain

returns on their investments. If a director is not confident in the firm’s ability to protect itself, it

may impair the director’s ability to oversee management The solution to ensuring proper

oversight will ultimately rely on reform through a balance of corporate directorship and of

government actions.

5

Because of its complexity, cyber security is both an internal and external risk to a

corporation. This summer during my internship with J.P. Morgan Chase, I had the opportunity to

network with a cyber security analyst working for the bank. He said the complexities of the

science of cyber security could be simplified through a scenario. A security guard ensures that

the mall’s products, customers, and assets are kept safes. When there is a security breach, there

is a chance that the mall’s assets are going to be damaged or stolen. A cyber security analyst

performs the same essential function as a security guard working for a mall. They are a “security

guard” for information about a company’s information on products, customers, and assets. A

cyber security breach will result in stolen or comprised information regarding their customers,

products, and assets that will damage their brands and result in a loss of value.

Cyber security breaches are increasing in occurrence. “During the period from January 2013

through the third quarter of 2015, there were 20 reported incidents of major data breaches or

cyber security events at Fortune 100 companies”(Dembosy). On October of 2013, there was a

cyber-attack on Adobe Systems, Inc. where more than 38 million customer accounts were

obtained. Similarly, in 2014 Home Depot suffered a data breach resulting in 56 million stolen

credit and debit card numbers, 53 stolen email addresses, and a net cost of $28 million (Aguilar).

In December of 2013, there was a cyber-attack on Target Corporation. Without permission, the

cyber attacker(s) accessed 40 million Target customer accounts and the personal data of up to 70

million Target customers (Aguilar). This breach is a concrete example of how much of a

problem cyber breaches are towards corporations.

6

On February 4, 2014, Target’s CFO, John Mulligan, testified in the US Senate about the

breach and elaborated how they are bettering their cyber security. His testimony highlighted

major details of the incident that are both informative and shocking:

On the evening of December 12, we were notified by the Justice Departments of

Suspicious activity involving payment cards used at Target stores... The theft of the

payment card data affected guests who shopped at our U.S. stores from November 27

through December 8th ... We immediately started our internal investigation For many

years, Target has invested significant capital and resources in security technology,

personnel, and processes. We had in place multiple layers of protection, including 5

firewalls, malware detection software, intrusion detection and prevention capabilities and

data loss prevention tools. We perform internal and external validation and benchmarking

assessments. And, as recently as September 2013, our systems were certified as

compliant with the Payment Card Industry Data Security Standards (“Hearing on

Privacy” 5).

7

There are two core issues that stem from this testimony. First, as of September 2013 Target’s

security standards were acceptable by the government’s rules, yet these standards still failed to

prevent the breach. Second, Target failed to detect the cyber attack until the Justice Apartment

informed them of the breach. If a company arbitrarily invests $100 million in cybersecurity in

protecting its assets yet they are still the recipients of a cyber breach, is the cost greater than the

actual benefit? Target invested tremendous time and money into reinforcing their cyber

protection, performed benchmark stress tests, yet these investments failed to protect their

customer’s private data. Benjamin Dean, a former Fellow for Internet Governance and Cyber-

security at Columbia University, says that Target’s “net losses tally $105 million” but that the

actual damages were done to target amounted to less than 1% of their annual revenues (Kassner).

8

From a management perspective, it is not logical for managers to invest money in cyber

security if the net loss of a cyber attack is only a hundredth of the size of their annual revenues.

In addition to monetary losses, a company’s intangible assets are threatened by cyber attacks.

These may include brand reputation damages, loss of productivity, and a loss of customers

(Ferrillo). According to an Economist Intelligence Report, “companies struggle to categorize and

quantify reputational risk. Especially after a data breach happens, given the fact that there is no

formal ownership of reputational risk, responsibility is spread amongst a wide range of business

managers” (Ferrillo). Identifying key business risks, whether operational, strategic, or financial,

is important to preserve company value. These risks must be efficiently quantified in order to

save timer and money from the potential threat of a cyber attack. Companies that struggle to

identify such risks jeopardize long-term shareholder value.

Overall, the US government and US corporations are well aware of the issue of cyber security.

In most recent years the burden of cyber security has been placed be placed on the government

regulators and corporate board of directors. As mentioned above, management of a company

may not necessarily have a financial reason to increase cyber security investments if potential

cyber attacks are only a small fraction of their revenue inflows. Management will, however,

have a logical reason to increase cyber security investments if the government regulates cyber

security.

9

Through government intervention on corporate cyber security, customers are less likely to have

personal information stolen through cyber attacks. Cyber Security is being enforced by the

legislation but with varied success. There are currently federal cybersecurity regulations in place

but they mostly focus only on specific industries and do not focus on systematic risk. In 1986

Congress passed the Computer Fraud and Abuse act making it a federal crime to access a

protected computer without proper authorization. The enacted Homeland Security Act of 2002

serves as a foundation for other acts such as the Cyber Security Enhancement Act of 2002. More

recently, Congress has introduced the Cyber Security Information Sharing Act. Likewise, other

cyber security measures introduced to Congress are the Cybersecurity Act of 2010, the

International Cybercrime Reporting and Cooperation Act of 2013, and Protecting Cyberspace as

a National Asset Act of 2010. Nevertheless, these legislative efforts have been met with minimal

success. Implementing cyber security regulations through legislation does not seem to be

working.

10

Although legislation has not been historically successful, actions through government agencies

are notable. On Oct. 19, 2016 the Fed, FDIC and OCC issued a joint advance notice seeking

input regarding cybersecurity reform from the public until January 17th. Through a series of 39

questions, the regulators want opinions from companies if they should implement formal

regulations, guidance or both. (Vitale). The new potential regulations will place the government

another step ahead for cyber security. Furthermore, the agencies propose to apply the new

enhanced standards to institutions under their supervision (including non-bank financial

institutions) with total consolidated assets of $50 billion or more.) These possible regulations are

going to differ on how large your company is. Similarly, “the Federal Reserve proposes to apply

the standards to financial market utilities for which it acts as “Supervisory Agent” and other

financial market infrastructures over which it has the primary supervisory authority or which are

operated by the Federal Reserve Banks” (Vitale). The finance industry is a critical sector for

cyber security. For example, a successful cyber security attack against the finance industry will

have a far greater detrimental effect than a successful cyber security attack against the tourism

industry. If thousands of customers Bank of America credentials are stolen, they can use them to

commit fraud and steal money from Bank of American customers. Given these points, the

actions of the Fed, the FDIC, and the OCC are significant.

11

The efforts from the Fed, OCC, and FDIC do raise the bar for security in America. However,

they are still not one hundred percent effective in preventing a cyber breach. Developments in

information technology are in a way the Achilles heal of cyber security. Through advancing

information technology, we now live in a time where our world economy is more connected than

ever. In March of 2016, the Bangladesh central bank was hacked and the hackers attempted to

withdraw money from their account at the New York Fed:

The hackers who robbed more than $100 million from the central bank of Bangladesh

succeeded by placing malware on the central bank’s computers that key logged the

bank’s credentials and then placed authenticated SWIFT transfers with the New York

Bank of the Federal Reserve over the weekend (Vitale).

Although the Fed was successful in stopping a $1billion transaction, they could not block the

transaction of $100 million. The United States government has the resources to stop cyber

attacks in critical sectors but they are limited by their jurisdiction. Bangladesh is an emerging

country and the US government was unable to expand its defense system to other country’s

central banks. Thus, the only drawback to the Fed’s actions is that they cannot expand their

influence on foreign powers that have their assets placed in the United States.

12

In addition to the actions of the Federal reserve, other government agencies work to prevent

cyber breaches. The department of Homeland Security’s operates a cyber-security division called

the National Cyber Security Division. The CSC’s “mission is to contribute to enhancing the

security and resilience of the nation’s critical information infrastructure and the Internet by

leading and coordinating research and development among department customers, government

agencies, and the private sector” (“Mission”). Some other agencies that work to prevent cyber

breaches are the FBI, the US department of Justice, the US Cyber Command, and even the FCC.

These government agencies have success in discovering cyber breaches but not actually

preventing them. For example, Target was unaware that they were cyber attacked until the U.S.

Department of Justice notified them of the suspicious activity involving payment cards used at

their stores. Target’s cyber defenses were also compliant with regulatory standards through

Payment Card Industry Data Security Standards (“Hearing on Privacy” 5). Companies such as

Target that are compliant with regulations and adhere to the government’s security standards

cannot solely rely on the government to guarantee their customers personal data will not be

stolen.

Overall, the government’s legislation and agency efforts, cybersecurity prevention has had some

success. Even though cyber security legislation has not been effective, efforts through agencies

such as the Fed, and the Department and Justice are successful because they consolidate the

problem of cyber breaches. Cyber security is systematic and not only effects companies that are

breached but it also affects the well-being of the public.

13

Although the government is making great efforts to increase cybersecurity measures, it is still in

the best interest of companies to invest more than that “standard” that the agencies will set.

Companies cannot rely on the benchmark of protection that the government says is acceptable.

Companies must accept the reality that even if they have the strongest cyber defense systems on

the market, there is still a high probability their defenses will be breached. The most logical

answer to this reality is for companies to invest in cyber insurance. Cyber insurance essentially

reimburses that company for the damages they receive from cyber attacks. Cyber insurance is an

important option for firms to consider depending on their level of cyber risk.

14

The price and type options of insurance coverage vary for companies. The insurance coverage of

cyber security may include services such as “customer notification expenses, credit/identity theft

monitoring, privacy, and security liability, cyber extortion, hacker damage cost, privacy

regulatory defense and penalties, a computer forensics investigations, and a data breach coach or

privacy attorney” (Ferrillo). The wide variety of these services is valuable to any company

concerned about their cyber security. For example, Target’s gross loss was $252 million but

with their $90 million cyber insurance, the losses fell to $162 million before tax deductions.

Similarly, when Home Depot suffered a data breach in 2014, a $15 million insurance

reimbursement lowered the overall cost of the breach from $43 million to $28 million (Kassner).

When considering buying cyber insurance, companies must take into their associated cyber risks

and prepare for attacks in advance. High cyber risk should be met with high cyber risk insurance

whereas firms with low cyber risk should evaluate what kind of cyber security they actually

need.

Cyber security is a prevalent problem that corporations are facing. Through both government

and firm efforts, cyber security is proving to be a larger liability than initially thought. Although

firms’ efforts will decrease the likelihood of a cyber attack, the decrease in likelihood is not

significant. Through improving the functionality of corporate boards cyber security will be fixed

systematically prove to be better than government regulation.

15

One of the main issues with corporate governance and cyber security is that from a systematic

standpoint, directors are concerned with cyber security but ignore the issue. In a 2015 survey by

the NYSE found that “More than 80% of directors say they discuss cyber security at most if not

every meeting” and of the 80% of directors, “66% still lack confidence in their company’s ability

to protect itself against hacking”(RANE). If only 66% of directors lack confidence in their

company’s ability, the lack of confidence in a director is detrimental to shareholders.

Furthermore, a lack of confidence in a director shows that boards are currently ineffective

evaluating cyber risk. If a director’s confidence in their company’s cyber security measures is

increased, corporate board members will be more efficient at identifying firm cyber risk.

It is a director’s duty of care to identify their corporation’s risk. Furthermore, directors must

work with management on behalf of the shareholders to minimize firm risks. The Caremark case

is going to be a popular reference for future cases regarding cyber security breaches and deciding

if directors are liable.

Caremark International Inc. was a health services company. They violated laws that prohibited

health care companies from paying doctors to refer Medicare or Medicaid patients to their

services. A group of shareholders sewed Caremark directors for violating their duty of care in

Caremark’s Delaware chancery court case. Through Caremark, the honorable William T. Allen

created the duty of compliance with corporate governance. The duty of loyalty changed the

corporate governance by creating a way out of the duty of care:

16

A director's obligation includes a duty to attempt in good faith to assure that a corporate

information and reporting system, which the board concludes is adequate, exists, and that

failure to do so under some circumstances may, in theory at least, render a director liable

for losses (Caremark).

William Allen said that the opposite of bath faith is good faith. If you do not put systems in place

then you are not in good faith. Good faith requires implementation of such system controls. In

other words, in order for directors to be liable for damages done to the shareholders, to prove

liability a director has to do almost nothing. By creating a system of bad faith, the honorable

William Allen created a new fiduciary duty called compliance. Consequently, if directors make

no effort to minimize the corporation’s risk of cyber security, they are liable for the damages

done to the shareholders.

Most recently, cyber security it taking its foothold in the Delaware Chancery Courts. Most

recently, in Reiter vs. Fairbank, C.A., the plaintiffs sued the corporate directors for breaching

their duty of loyalty to the corporation by not implementing a compliance program to assure the

compliance with legislative anti-money laundering laws. They claimed that the directors saw the

red flags but failed to address the red flags. In his Memorandum Opinion, Chancellor Bouchard

concludes:

17

Here, the allegations of the Complaint and the documents incorporated therein would

allow reasonable minds to argue either side of a debate over whether the directors’

oversight of the Company’s BSA/AML compliance program was sufficiently robust or

flawed. But what those allegations do not reasonably permit for the reasons explained

above is an inference that the defendants consciously allowed Capital One to violate the

law so as to sustain a finding they acted in bad faith. As such, plaintiff has failed to plead

with particularity that a majority of One’s ten-member board acted in such an egregious

manner that they would face a substantial likelihood of liability for breaching their

fiduciary duty of loyalty so as to disqualify them from applying disinterested and

independent consideration to a stockholder demand (Reiter v. Fairbank, C.A., 36).

18

Bouchard upheld the standards of “bad faith” that must exist for directors to be liable. From a

person with a reasonable mind, it would appear that the director’s oversight on anti-money

laundering compliance was not sufficient from both sides of the argument. The plaintiff could

not prove that the board acted in a shocking and unexpected manner. The key implication from

the Reiter’s decision is that the idea of bad faith is upheld. Although this is relieving news for

directors, shareholders should be concerned. The same principles from the Reiter case will be

significant in determining future court regarding cyber security. If directors know that there is

significant, cyber risk to their company and do absolutely nothing to comply to these risks, they

will be held personally liable for any damages done to shareholders. Reiter is an important case

because it gives directors a direct behavior guideline when applying their fiduciary duties to legal

risk through data security. Conversely, the Caremark case is relevant for directors failing to

minimize cyber security risks and will have a profound impact on how cyber risk is addressed in

the future

19

Along with properly acknowledging the cyber risk, directors can also protect themselves

by being properly informed about their firm’s cyber risk. By being informed about the issue,

directors will behave more rationally during the face of a cyber security breach. The main reason

why a director should be more informed is that previously stated, only 66% of directors are

confident that their firm can protect itself against a cyber attack. There should be a systematic

change in the environment of corporate boards. For example, every board member should have

a basic understanding of the issue of cyber security. Additionally, to better protect themselves

firms should implement a type of cyber sub-committee. This committee will oversee cyber

security reporting and disclosure and will be chaired by a director considered a cyber security

expert. Overall, the goal of a cyber sub-committee is to make the board oversee cyber risk more

efficiently through making the board members more confident in their firm’s ability to protect

themselves.

Cyber security is currently the biggest issue in corporate governance. Cyber security

breaches will continue to pose a significant threat to corporations and are going to be a

destructive force of shareholder value as information technology continues to grow rapidly.

Through government, and firm-level efforts, the substantial effort to increase cybersecurity

measures does not reduce cyber risk systematically. However, I believe making corporate boards

more informed, resourceful, and insightful regarding cyber security will have a more efficient

and stronger impact on cyber security than government and management efforts.

20

Works Cited

Aguilar, Luis A. "Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the

Focus." U.S. SEC. New York Stock Exchange, 10 June 2014. Web. 05 Dec. 2016.

Dembosky, Luke, and Jeremy Feigelson. "How to Disclose a Cybersecurity Event: Recent

Fortune 100 Experience." The Harvard Law School Forum on Corporate Governance

and Financial Regulation How to Disclose a Cybersecurity Event Recent Fortune 100

Experience Comments. PwC, 6 Sept. 2016. Web. 05 Dec. 2016.

Caremark International Inc Derivative Litigation. Delaware Chancery Court. 1996. Print.

21

Hearing on Privacy in the Digital Age: Preventing Data Breaches and Combating Cyber Crime ,

6 (2014) (testimony of John Mulligan). Print.

PwC, 15 Nov. 2016. Web. 05 Dec. 2016.

Kassner, Michael. "Data Breaches May Cost Less than the Security to Prevent

Them." TechRepublic. TechRepublic, 15 May 2015. Web. 06 Dec. 2016.

"Mission of the Cyber Security Division." US Department of Homeland Security. Ed. Douglas,

Maughan. Cyber Security Division, 6 Mar. 2015. Web. 07 Dec. 2016.

1015, RANE. "Corporate Governance in the Age of Cyber Risks." Wharton University of

Pennsylvania. Sullivan & Cromwell LLP, 10 Dec. 2015. Web. 5 Dec. 2016.

Reiter vs. Fairbank, C.A. 39. Delaware Chancery Court. 18 Oct. 2016. Cns Securities Law.

Web. 7 Dec. 2016

Vitale, Joseph P. "Banking Agencies’ Proposed Cybersecurity Regulations." The Harvard Law

School Forum on Corporate Governance and Financial Regulation Banking Agencies

Proposed Cybersecurity Regulations Comments. PwC, 11 Nov. 2016. Web. 05 Dec.

2016.

22