Corporate Governance Statement / Corporate Governance Report
Corporate Governance Insecurity
-
Upload
john-skogerboe -
Category
Documents
-
view
152 -
download
0
Transcript of Corporate Governance Insecurity
John SkogerboeFINC 418-010
December 8, 2016
Corporate Cyber Insecurity
1
At their disposal, consumers can pull out their androids, iPhones, or other smartphones
and immediately have access to over a million consumer products. With all of the advances in
technology, consumers are more connected than they have ever been before. Not necessarily
connected to each other but in a sense connected to their products such as Facebook, PayPal,
Venmo, banks, technology companies, email services, and the list continues. The information
age has brought monumental change to our society and economy at large. With advances in
technology, consumers can now choose to place their private data such as credit card numbers,
social security numbers, bank account numbers, other personal information to corporations in
exchange for their services. Thirty years ago in order to pay back a friend for a late night dinner,
the only option was to go to an ATM to withdraw cash. Through companies that offer services
for online transactions such as Venmo, instead of a 30-minute walk to the nearest ATM to
withdraw cash, you can now pay that friend back within seconds. The only cost is when a
customer transfer money to your actual bank account it will cost a small commission fee.
However, there is an additional hidden price that a customer does not initially consider when
placing their personal information in the hands of a company: security.
2
When a consumer voluntary places personal information into the hands of a business,
there is a duty of care that the company must fulfill for the consumer: provide them the service or
product requested, and make sure that their privacy is protected. Most importantly, however,
corporations have a duty of care and loyalty to their shareholders. Although a shareholder may
not necessarily be a customer of a company, they should still be concerned with the security of
their company’s assets. Corporate governance in America is proof that capitalism works. Our
systems of inflows and outflows of capital are the most efficient in the world. This is also
evident because the United States has the second highest economy in the world. Capitalism’s
success is shown through our country’s leaders in public and private sectors. Corporations are
the backbone of America. They generate equity for shareholders to invest therefore stoking the
flames of capitalism. Corporate boards have evolved from stagnant, management-dominated to
lively, independent boards. Corporate directors now hold a substantial amount of company stock
to better align their interests with the long-term goals of the shareholders. The proper oversight
of management ensures that business decisions are made in good faith, informed, and rational
decisions.
3
Yet, even with all these significant progress in corporate governance, there are still
obstacles towards improvement. The most important obstacle that needs to be curtailed is the
threat of cyber security breaches. Cyber security breaches will continue to pose a significant
threat to corporations and are going to be a destructive force of shareholder value as information
technology continues to grow rapidly. Through government, and firm-level efforts, increases in
cybersecurity measures do not necessarily reduce cyber risk systematically. However, I believe
making corporate boards more informed, resourceful, and insightful regarding cyber security
will have a more efficient and stronger impact on cyber security than government and
management efforts.
Cyber security breaches are breaches of a public or private firm’s internal networks.
Once a computer hacker breaches a firm’s cybersecurity, they have the potential to steal valuable
inside information and personal information. Due to this problem, the government and US
corporations are reacting. This trend of activism from the government towards cyber security is
increasing the likelihood of change in the regulatory environment and firms must take into
account these incoming shocks. The reaction from corporations is similar. A 2015 survey by the
NYSE found that “More than 80% of directors say they discuss cyber security at most if not
every meeting”(RANE).
4
Although the government and corporations are making efforts, the progress is minimal.
The only legislation congress has passed is the 1986 Computer Fraud and Abuse Act. All other
proposed pieces of legislation have not succeeded. Moreover, previously stated, of the same
80% of directors who say they discuss cyber security at most if not every meeting, “66% still
lack confidence in their company’s ability to protect itself against hacking”(RANE). Comparably
speaking, every eight out of ten directors discuss cyber security but only six of those eight
directors are confident in the firm’s ability to protect itself. It is like telling all of your family that
you are getting married but only half confident it is actually going to ultimately happen. A
director’s duty is to act on behalf of the shareholders and bring in resources to help them gain
returns on their investments. If a director is not confident in the firm’s ability to protect itself, it
may impair the director’s ability to oversee management The solution to ensuring proper
oversight will ultimately rely on reform through a balance of corporate directorship and of
government actions.
5
Because of its complexity, cyber security is both an internal and external risk to a
corporation. This summer during my internship with J.P. Morgan Chase, I had the opportunity to
network with a cyber security analyst working for the bank. He said the complexities of the
science of cyber security could be simplified through a scenario. A security guard ensures that
the mall’s products, customers, and assets are kept safes. When there is a security breach, there
is a chance that the mall’s assets are going to be damaged or stolen. A cyber security analyst
performs the same essential function as a security guard working for a mall. They are a “security
guard” for information about a company’s information on products, customers, and assets. A
cyber security breach will result in stolen or comprised information regarding their customers,
products, and assets that will damage their brands and result in a loss of value.
Cyber security breaches are increasing in occurrence. “During the period from January 2013
through the third quarter of 2015, there were 20 reported incidents of major data breaches or
cyber security events at Fortune 100 companies”(Dembosy). On October of 2013, there was a
cyber-attack on Adobe Systems, Inc. where more than 38 million customer accounts were
obtained. Similarly, in 2014 Home Depot suffered a data breach resulting in 56 million stolen
credit and debit card numbers, 53 stolen email addresses, and a net cost of $28 million (Aguilar).
In December of 2013, there was a cyber-attack on Target Corporation. Without permission, the
cyber attacker(s) accessed 40 million Target customer accounts and the personal data of up to 70
million Target customers (Aguilar). This breach is a concrete example of how much of a
problem cyber breaches are towards corporations.
6
On February 4, 2014, Target’s CFO, John Mulligan, testified in the US Senate about the
breach and elaborated how they are bettering their cyber security. His testimony highlighted
major details of the incident that are both informative and shocking:
On the evening of December 12, we were notified by the Justice Departments of
Suspicious activity involving payment cards used at Target stores... The theft of the
payment card data affected guests who shopped at our U.S. stores from November 27
through December 8th ... We immediately started our internal investigation For many
years, Target has invested significant capital and resources in security technology,
personnel, and processes. We had in place multiple layers of protection, including 5
firewalls, malware detection software, intrusion detection and prevention capabilities and
data loss prevention tools. We perform internal and external validation and benchmarking
assessments. And, as recently as September 2013, our systems were certified as
compliant with the Payment Card Industry Data Security Standards (“Hearing on
Privacy” 5).
7
There are two core issues that stem from this testimony. First, as of September 2013 Target’s
security standards were acceptable by the government’s rules, yet these standards still failed to
prevent the breach. Second, Target failed to detect the cyber attack until the Justice Apartment
informed them of the breach. If a company arbitrarily invests $100 million in cybersecurity in
protecting its assets yet they are still the recipients of a cyber breach, is the cost greater than the
actual benefit? Target invested tremendous time and money into reinforcing their cyber
protection, performed benchmark stress tests, yet these investments failed to protect their
customer’s private data. Benjamin Dean, a former Fellow for Internet Governance and Cyber-
security at Columbia University, says that Target’s “net losses tally $105 million” but that the
actual damages were done to target amounted to less than 1% of their annual revenues (Kassner).
8
From a management perspective, it is not logical for managers to invest money in cyber
security if the net loss of a cyber attack is only a hundredth of the size of their annual revenues.
In addition to monetary losses, a company’s intangible assets are threatened by cyber attacks.
These may include brand reputation damages, loss of productivity, and a loss of customers
(Ferrillo). According to an Economist Intelligence Report, “companies struggle to categorize and
quantify reputational risk. Especially after a data breach happens, given the fact that there is no
formal ownership of reputational risk, responsibility is spread amongst a wide range of business
managers” (Ferrillo). Identifying key business risks, whether operational, strategic, or financial,
is important to preserve company value. These risks must be efficiently quantified in order to
save timer and money from the potential threat of a cyber attack. Companies that struggle to
identify such risks jeopardize long-term shareholder value.
Overall, the US government and US corporations are well aware of the issue of cyber security.
In most recent years the burden of cyber security has been placed be placed on the government
regulators and corporate board of directors. As mentioned above, management of a company
may not necessarily have a financial reason to increase cyber security investments if potential
cyber attacks are only a small fraction of their revenue inflows. Management will, however,
have a logical reason to increase cyber security investments if the government regulates cyber
security.
9
Through government intervention on corporate cyber security, customers are less likely to have
personal information stolen through cyber attacks. Cyber Security is being enforced by the
legislation but with varied success. There are currently federal cybersecurity regulations in place
but they mostly focus only on specific industries and do not focus on systematic risk. In 1986
Congress passed the Computer Fraud and Abuse act making it a federal crime to access a
protected computer without proper authorization. The enacted Homeland Security Act of 2002
serves as a foundation for other acts such as the Cyber Security Enhancement Act of 2002. More
recently, Congress has introduced the Cyber Security Information Sharing Act. Likewise, other
cyber security measures introduced to Congress are the Cybersecurity Act of 2010, the
International Cybercrime Reporting and Cooperation Act of 2013, and Protecting Cyberspace as
a National Asset Act of 2010. Nevertheless, these legislative efforts have been met with minimal
success. Implementing cyber security regulations through legislation does not seem to be
working.
10
Although legislation has not been historically successful, actions through government agencies
are notable. On Oct. 19, 2016 the Fed, FDIC and OCC issued a joint advance notice seeking
input regarding cybersecurity reform from the public until January 17th. Through a series of 39
questions, the regulators want opinions from companies if they should implement formal
regulations, guidance or both. (Vitale). The new potential regulations will place the government
another step ahead for cyber security. Furthermore, the agencies propose to apply the new
enhanced standards to institutions under their supervision (including non-bank financial
institutions) with total consolidated assets of $50 billion or more.) These possible regulations are
going to differ on how large your company is. Similarly, “the Federal Reserve proposes to apply
the standards to financial market utilities for which it acts as “Supervisory Agent” and other
financial market infrastructures over which it has the primary supervisory authority or which are
operated by the Federal Reserve Banks” (Vitale). The finance industry is a critical sector for
cyber security. For example, a successful cyber security attack against the finance industry will
have a far greater detrimental effect than a successful cyber security attack against the tourism
industry. If thousands of customers Bank of America credentials are stolen, they can use them to
commit fraud and steal money from Bank of American customers. Given these points, the
actions of the Fed, the FDIC, and the OCC are significant.
11
The efforts from the Fed, OCC, and FDIC do raise the bar for security in America. However,
they are still not one hundred percent effective in preventing a cyber breach. Developments in
information technology are in a way the Achilles heal of cyber security. Through advancing
information technology, we now live in a time where our world economy is more connected than
ever. In March of 2016, the Bangladesh central bank was hacked and the hackers attempted to
withdraw money from their account at the New York Fed:
The hackers who robbed more than $100 million from the central bank of Bangladesh
succeeded by placing malware on the central bank’s computers that key logged the
bank’s credentials and then placed authenticated SWIFT transfers with the New York
Bank of the Federal Reserve over the weekend (Vitale).
Although the Fed was successful in stopping a $1billion transaction, they could not block the
transaction of $100 million. The United States government has the resources to stop cyber
attacks in critical sectors but they are limited by their jurisdiction. Bangladesh is an emerging
country and the US government was unable to expand its defense system to other country’s
central banks. Thus, the only drawback to the Fed’s actions is that they cannot expand their
influence on foreign powers that have their assets placed in the United States.
12
In addition to the actions of the Federal reserve, other government agencies work to prevent
cyber breaches. The department of Homeland Security’s operates a cyber-security division called
the National Cyber Security Division. The CSC’s “mission is to contribute to enhancing the
security and resilience of the nation’s critical information infrastructure and the Internet by
leading and coordinating research and development among department customers, government
agencies, and the private sector” (“Mission”). Some other agencies that work to prevent cyber
breaches are the FBI, the US department of Justice, the US Cyber Command, and even the FCC.
These government agencies have success in discovering cyber breaches but not actually
preventing them. For example, Target was unaware that they were cyber attacked until the U.S.
Department of Justice notified them of the suspicious activity involving payment cards used at
their stores. Target’s cyber defenses were also compliant with regulatory standards through
Payment Card Industry Data Security Standards (“Hearing on Privacy” 5). Companies such as
Target that are compliant with regulations and adhere to the government’s security standards
cannot solely rely on the government to guarantee their customers personal data will not be
stolen.
Overall, the government’s legislation and agency efforts, cybersecurity prevention has had some
success. Even though cyber security legislation has not been effective, efforts through agencies
such as the Fed, and the Department and Justice are successful because they consolidate the
problem of cyber breaches. Cyber security is systematic and not only effects companies that are
breached but it also affects the well-being of the public.
13
Although the government is making great efforts to increase cybersecurity measures, it is still in
the best interest of companies to invest more than that “standard” that the agencies will set.
Companies cannot rely on the benchmark of protection that the government says is acceptable.
Companies must accept the reality that even if they have the strongest cyber defense systems on
the market, there is still a high probability their defenses will be breached. The most logical
answer to this reality is for companies to invest in cyber insurance. Cyber insurance essentially
reimburses that company for the damages they receive from cyber attacks. Cyber insurance is an
important option for firms to consider depending on their level of cyber risk.
14
The price and type options of insurance coverage vary for companies. The insurance coverage of
cyber security may include services such as “customer notification expenses, credit/identity theft
monitoring, privacy, and security liability, cyber extortion, hacker damage cost, privacy
regulatory defense and penalties, a computer forensics investigations, and a data breach coach or
privacy attorney” (Ferrillo). The wide variety of these services is valuable to any company
concerned about their cyber security. For example, Target’s gross loss was $252 million but
with their $90 million cyber insurance, the losses fell to $162 million before tax deductions.
Similarly, when Home Depot suffered a data breach in 2014, a $15 million insurance
reimbursement lowered the overall cost of the breach from $43 million to $28 million (Kassner).
When considering buying cyber insurance, companies must take into their associated cyber risks
and prepare for attacks in advance. High cyber risk should be met with high cyber risk insurance
whereas firms with low cyber risk should evaluate what kind of cyber security they actually
need.
Cyber security is a prevalent problem that corporations are facing. Through both government
and firm efforts, cyber security is proving to be a larger liability than initially thought. Although
firms’ efforts will decrease the likelihood of a cyber attack, the decrease in likelihood is not
significant. Through improving the functionality of corporate boards cyber security will be fixed
systematically prove to be better than government regulation.
15
One of the main issues with corporate governance and cyber security is that from a systematic
standpoint, directors are concerned with cyber security but ignore the issue. In a 2015 survey by
the NYSE found that “More than 80% of directors say they discuss cyber security at most if not
every meeting” and of the 80% of directors, “66% still lack confidence in their company’s ability
to protect itself against hacking”(RANE). If only 66% of directors lack confidence in their
company’s ability, the lack of confidence in a director is detrimental to shareholders.
Furthermore, a lack of confidence in a director shows that boards are currently ineffective
evaluating cyber risk. If a director’s confidence in their company’s cyber security measures is
increased, corporate board members will be more efficient at identifying firm cyber risk.
It is a director’s duty of care to identify their corporation’s risk. Furthermore, directors must
work with management on behalf of the shareholders to minimize firm risks. The Caremark case
is going to be a popular reference for future cases regarding cyber security breaches and deciding
if directors are liable.
Caremark International Inc. was a health services company. They violated laws that prohibited
health care companies from paying doctors to refer Medicare or Medicaid patients to their
services. A group of shareholders sewed Caremark directors for violating their duty of care in
Caremark’s Delaware chancery court case. Through Caremark, the honorable William T. Allen
created the duty of compliance with corporate governance. The duty of loyalty changed the
corporate governance by creating a way out of the duty of care:
16
A director's obligation includes a duty to attempt in good faith to assure that a corporate
information and reporting system, which the board concludes is adequate, exists, and that
failure to do so under some circumstances may, in theory at least, render a director liable
for losses (Caremark).
William Allen said that the opposite of bath faith is good faith. If you do not put systems in place
then you are not in good faith. Good faith requires implementation of such system controls. In
other words, in order for directors to be liable for damages done to the shareholders, to prove
liability a director has to do almost nothing. By creating a system of bad faith, the honorable
William Allen created a new fiduciary duty called compliance. Consequently, if directors make
no effort to minimize the corporation’s risk of cyber security, they are liable for the damages
done to the shareholders.
Most recently, cyber security it taking its foothold in the Delaware Chancery Courts. Most
recently, in Reiter vs. Fairbank, C.A., the plaintiffs sued the corporate directors for breaching
their duty of loyalty to the corporation by not implementing a compliance program to assure the
compliance with legislative anti-money laundering laws. They claimed that the directors saw the
red flags but failed to address the red flags. In his Memorandum Opinion, Chancellor Bouchard
concludes:
17
Here, the allegations of the Complaint and the documents incorporated therein would
allow reasonable minds to argue either side of a debate over whether the directors’
oversight of the Company’s BSA/AML compliance program was sufficiently robust or
flawed. But what those allegations do not reasonably permit for the reasons explained
above is an inference that the defendants consciously allowed Capital One to violate the
law so as to sustain a finding they acted in bad faith. As such, plaintiff has failed to plead
with particularity that a majority of One’s ten-member board acted in such an egregious
manner that they would face a substantial likelihood of liability for breaching their
fiduciary duty of loyalty so as to disqualify them from applying disinterested and
independent consideration to a stockholder demand (Reiter v. Fairbank, C.A., 36).
18
Bouchard upheld the standards of “bad faith” that must exist for directors to be liable. From a
person with a reasonable mind, it would appear that the director’s oversight on anti-money
laundering compliance was not sufficient from both sides of the argument. The plaintiff could
not prove that the board acted in a shocking and unexpected manner. The key implication from
the Reiter’s decision is that the idea of bad faith is upheld. Although this is relieving news for
directors, shareholders should be concerned. The same principles from the Reiter case will be
significant in determining future court regarding cyber security. If directors know that there is
significant, cyber risk to their company and do absolutely nothing to comply to these risks, they
will be held personally liable for any damages done to shareholders. Reiter is an important case
because it gives directors a direct behavior guideline when applying their fiduciary duties to legal
risk through data security. Conversely, the Caremark case is relevant for directors failing to
minimize cyber security risks and will have a profound impact on how cyber risk is addressed in
the future
19
Along with properly acknowledging the cyber risk, directors can also protect themselves
by being properly informed about their firm’s cyber risk. By being informed about the issue,
directors will behave more rationally during the face of a cyber security breach. The main reason
why a director should be more informed is that previously stated, only 66% of directors are
confident that their firm can protect itself against a cyber attack. There should be a systematic
change in the environment of corporate boards. For example, every board member should have
a basic understanding of the issue of cyber security. Additionally, to better protect themselves
firms should implement a type of cyber sub-committee. This committee will oversee cyber
security reporting and disclosure and will be chaired by a director considered a cyber security
expert. Overall, the goal of a cyber sub-committee is to make the board oversee cyber risk more
efficiently through making the board members more confident in their firm’s ability to protect
themselves.
Cyber security is currently the biggest issue in corporate governance. Cyber security
breaches will continue to pose a significant threat to corporations and are going to be a
destructive force of shareholder value as information technology continues to grow rapidly.
Through government, and firm-level efforts, the substantial effort to increase cybersecurity
measures does not reduce cyber risk systematically. However, I believe making corporate boards
more informed, resourceful, and insightful regarding cyber security will have a more efficient
and stronger impact on cyber security than government and management efforts.
20
Works Cited
Aguilar, Luis A. "Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the
Focus." U.S. SEC. New York Stock Exchange, 10 June 2014. Web. 05 Dec. 2016.
Dembosky, Luke, and Jeremy Feigelson. "How to Disclose a Cybersecurity Event: Recent
Fortune 100 Experience." The Harvard Law School Forum on Corporate Governance
and Financial Regulation How to Disclose a Cybersecurity Event Recent Fortune 100
Experience Comments. PwC, 6 Sept. 2016. Web. 05 Dec. 2016.
Caremark International Inc Derivative Litigation. Delaware Chancery Court. 1996. Print.
21
Hearing on Privacy in the Digital Age: Preventing Data Breaches and Combating Cyber Crime ,
6 (2014) (testimony of John Mulligan). Print.
PwC, 15 Nov. 2016. Web. 05 Dec. 2016.
Kassner, Michael. "Data Breaches May Cost Less than the Security to Prevent
Them." TechRepublic. TechRepublic, 15 May 2015. Web. 06 Dec. 2016.
"Mission of the Cyber Security Division." US Department of Homeland Security. Ed. Douglas,
Maughan. Cyber Security Division, 6 Mar. 2015. Web. 07 Dec. 2016.
1015, RANE. "Corporate Governance in the Age of Cyber Risks." Wharton University of
Pennsylvania. Sullivan & Cromwell LLP, 10 Dec. 2015. Web. 5 Dec. 2016.
Reiter vs. Fairbank, C.A. 39. Delaware Chancery Court. 18 Oct. 2016. Cns Securities Law.
Web. 7 Dec. 2016
Vitale, Joseph P. "Banking Agencies’ Proposed Cybersecurity Regulations." The Harvard Law
School Forum on Corporate Governance and Financial Regulation Banking Agencies
Proposed Cybersecurity Regulations Comments. PwC, 11 Nov. 2016. Web. 05 Dec.
2016.
22