select
This is a tooltip for the edit command button
Fred E. Karlinsky, Esq.
GREENBERG TRAURIG LLP
(954) 768-8278
Richard J. Fidei, Esq.
GREENBERG TRAURIG LLP
(954) 768-8286
Christian Brito, Esq.
GREENBERG, TRAURIG, P.A.
(954) 768-8279

CORPORATE GOVERNANCE IN INSURANCE: CREATING EFFECTIVE MECHANISMS TO ADDRESS CYBERSECURITY THREATS

Cybersecurity attacks continue to plague companies around the globe. Recent litigation and regulatory action have demonstrated that the responsibility for maintaining a company’s cybersecurity rests with the board of directors. In the wake of recent cyber-attacks, shareholders have filed suit against board members, alleging that their failure to take steps to prevent a data breach violated board members’ fiduciary duty of care. Regulators have also taken action against companies affected by data breaches, reminding directors that cybersecurity is not merely a question for IT personnel, but rather a high-priority issue that must be addressed from the top-down. Rather than being compelled to act through litigation or regulatory action, boards should be proactive and create company-wide cybersecurity protocols that would regularly test the company’s cybersecurity systems, train its employees in cyber risk management, establish a data breach response plan, and manage relationships with third-party service providers.

The board must also implement appropriate mechanisms to guarantee it can adequately oversee the company’s cybersecurity systems and personnel. One effective way of doing so is to appoint a committee that would be responsible for managing and overseeing the company’s cybersecurity systems and IT personnel. In the right circumstances, this could be the Committees responsible for overseeing the company’s risk management policies and procedures, such as a Risk Committee (“RC”). Another alternative for certain companies may be to appoint an independent Cybersecurity Risk Committee (“CRC”) to focus exclusively on cybersecurity, data management, and IT. A CRC would be especially valuable to large insurers that handle significant amounts of sensitive customer and employee data.

Expertise is an important factor in selecting committee members. Boards should consider the appointment of directors with IT knowledge to sit on the designated board committee.

To best safeguard company data, the RC or CRC should evaluate the company’s data management and IT systems and identify vulnerabilities and weaknesses that could be exploited by bad actors. Armed with that knowledge, the Board should establish a written Cybersecurity Program (“Cyber Program”) that (at a minimum) contains detailed data management and cybersecurity rules and procedures that must be followed by all employees throughout every level of the organization. The board may also designate a Chief Information Security Officer (“CISO”), a senior manager responsible for the day-to-day operation of the Cyber Program. By communicating regularly with the CISO, the designated board committee can oversee the effectiveness of the Cyber Program.

One key function of the Cyber Program is the implementation of safeguards, such as regular updating of cybersecurity software and continuous monitoring of the company’s data network to detect suspicious activity and possible threats. Additional safeguards should be implemented to ensure that sensitive data is maintained within the company’s secure internal network and is never transferred to unsecured, external networks, such as the Internet, or unauthorized devices such as USB drives or CDs.

All data pathways between the internal network and external networks should be monitored and secured through the implementation of firewalls and similar security measures. Such pathways have become especially important due to the socio-technological phenomena known as the “Internet of Things,” where devices such as security cameras, thermostats, printers, and automobiles transmit data over the Internet to other devices.

In addition to implementing procedures designed to maintain the integrity of the company’s data networks, the Cyber Program should incorporate data retention policies that dictate the manner in which and the extent to which the company’s data should be retained. Generally, sensitive data should be retained only so long as is legally necessary, or for so long as it serves a legitimate business purpose, whichever is longer. Procedures must be adopted to ensure that such data is disposed of safely. Importantly, these procedures must include legal hold policies that would ensure the company retains all data that is or may be the subject of pending or threatened legal or regulatory action. Failing to implement legal hold policies could lead to the imposition of civil and possibly criminal sanctions. Accordingly, it is critical that the designated board committee work with counsel to oversee the implementation of legal hold policies and adopt mechanisms that will ensure such policies are strictly adhered to.

An effective Cyber Program should also establish mechanisms for educating employees on how they can minimize a company’s overall exposure to cyber security threats. Many breaches have resulted from the mishandling of data or communications networks by employees. While it is impossible to hedge against every risk, companies should equip their employees with the tools they will need to help minimize a company’s exposure. One method of doing so is to develop employee cybersecurity programs that educate employees on the threats posed by cyber-attacks and train employees to follow cybersecurity best practices. Such practices include adequately securing mobile devices, avoiding public Wi-Fi-hotspots, identifying, and deleting phishing emails, utilizing adequate passwords, and changing their passwords regularly. It is especially important that training programs be updated regularly to address evolving cybersecurity risks. Controls on employee access points, such as multi-factor authentication, should also be implemented to ensure that only authorized employees have access to the network.

The Cyber Program should also develop contractual requirements for third-party service providers to ensure those entities have implemented adequate internal cybersecurity practices before the company does business with them. Companies should also conduct audits to periodically assess their cybersecurity protocols and identify issues that may arise after contractual relationships have already been established with third-party service providers. Setting minimum standard thresholds for third-party service providers and maintaining regular oversight over those relationships is particularly important where service providers have access to company data. Under such circumstances, contracts with third-party service providers should specify the duties and responsibilities that will flow to the service providers in connection with handling, storing, protecting, and destroying company data.

It is also important for CISOs and boards to consider how their companies will respond to cybersecurity attacks. Companies should develop, maintain, and update a post-incident response plan outlining the procedures to be followed by the company once a cyber-attack has been discovered. The board should ensure that an emergency response team, composed of members of the designated board committee, legal counsel, IT personnel, compliance officers, and communications personnel, is in place to respond quickly to breaches once they have occurred. Each member of the response team should be familiar with their roles and responsibilities, from securing compromised IT assets to notifying the appropriate authorities and affected consumers. These measures may mitigate any potential liability that results in the wake of a breach.

Importantly, it is rarely ever sufficient to simply establish a Cyber Program and assume that it will effectively protect a company from cybersecurity threats. The designated board committee should work closely with the CISO to ensure that the Cyber Program is periodically tested to evaluate its effectiveness. A “penetration test,” designed to simulate a real-world cyber-attack, can be conducted by an in-house team, or can be outsourced to third-party professionals. Any vulnerability revealed by the test should be brought to the attention of the entire board and should be addressed as expeditiously as possible.

Implementing important corporate governance mechanisms aimed at securing the company’s data management and IT systems will help the board mitigate cyber risk and potential liability. Importantly, maintaining oversight over a robust cybersecurity program can help achieve a culture of compliance in light of new and evolving regulatory requirements. The New York Department of Financial Services (“NYDFS”) has taken the lead on establishing new cybersecurity standards with which insurance companies and financial institutions must comply. All insurance company boards should be aware of the NYDFS regulation, regardless of whether they operate in New York, because those regulations are indicative of a national movement as regulators on both a state and federal levels are taking steps to impose new cybersecurity requirements on insurers and financial institutions. Perhaps more importantly still, the Cybersecurity Working Group of the National Association of Insurance Commissioners (“NAIC”) recently adopted a draft of its Insurance Data Security Model Law, which is expected to be rolled out across the states for adoption.

Cybersecurity will continue to be a major issue affecting all companies, but it is a particular concern for insurers that collect and store massive amounts of sensitive policyholder data. Insurance companies may be exposed to legal liability if they fail to implement and oversee cybersecurity protocols in their respective organizations. This could even result in board member liability under certain circumstances. Regulators will continue to monitor companies and may take action if companies do not set up appropriate cybersecurity safeguards. Effective corporate governance is a key to ensuring compliance with these standards, to satisfy the board’s duty of care, and to avoiding the many negative consequences of a data breach.

References


[i] This article first appeared in the Fall 2017 issue of The Demotech Difference, a publication of Demotech, Inc., www.demotech.com.

[ii] Demotech, Inc. and Greenberg Traurig, P.A. greatly appreciate the contributions that were made by Benjamin A. Pierce, Esq. in preparing this article.