Board Governance and Cyber Risk

| Edna Twumwaa Frimpong

Commentary by Edna Frimpong and Charalambos Argyrou

The proliferation of technology and digitalization has resulted in cybersecurity and cyber risk becoming central to business continuity. There is the ever-increasing importance of safely protecting a company’s data, both organizational as well as personal information of employees and/or clients and customers,. With the pandemic forcing us to work from home, cyberattacks, particularly ransomware attacks, have also increased significantly. Boards need to better understand cyber attacks and cyber regulation in order to conduct effective risk management.

Relevant Data Protection Regulations and Laws in Europe and the U.S.

The EU General Data Protection Regulation (GDPR) serves as a system of regulation on data protection and privacy. GDPR was implemented on May 25, 2018 and replaces the  1995 Directive (Data Protection Directive). The aim of GDPR is to give more control to individuals when it comes to organizations revealing or deleting stored personal data. Moreover, GDPR applies to all member states in order to make the treatment of personal data protection easier across Europe. An organization that operates under EU law could be fined under GDPR up to EUR 20 million, or 4% of the company’s annual global turnover. For example, before the implementation of GDPR, the Information Commissioner’s Office (ICO) in UK was able to fine an organization on data protection up to GBP 500,000. Therefore, the substantial increase on the data protection fines and the fact that now EU countries can enforce the GDPR more easily induce the organizations to use better practices towards data protection.

On the other hand, the United States approaches data protection and privacy in a different way. Instead an all-encompassing data protection regulation such as GDPR, the United States has a variety of federal and states regulations to safeguard American citizens’ data. The United States has legislations protecting personal data at the sector level, but there is no such broad legislation like GDPR. Examples of US laws are the Federal Information Security Management Act, The Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPA), etc.

A Closer Look: Ransomware

The year 2021 has seen an exponential increase in the activities of Ransom cyberattacks with most of these attacks happening on Government institutions, Healthcare, and the Technology sectors. The amount of money being demanded by these attackers have also increased in 2021, with some attackers demanding tens of millions of dollars. Even more frightening, double extortion’ ransomware is also  on the rise, where hackers demand a second ransom payment in return for not releasing the sensitive data stolen during the first attack. One of the biggest ransomware attacks  in 2021 was the Kaseya cyberattack, whereby data of close to 1500 companies were compromised. Attackers demanded over USD 70M to restore the data, highlighting the menaces in software supply chain activity.

Regulatory bodies in their recommendations have warned that paying these ransomware can expose financial firms to increased financial and compliance risk, including Know Your Customer (KYC), Anti-Money Laundering (AML) and Combatting Financing of Terrorism (CFT) laws. Many companies have resorted to insurance to cover the risks associated with ransomware attacks.  In the United States, market report suggests that cyber insurance direct written premiums increased by approximately 22% in 2020 to almost USD 3 billion, and the direct loss ratio for unrelated cyber rose to 73% in 2020.

While insurance companies are not reporting the specific loss cost drivers, it could be deduced that the increase in ransomware is a factor behind the higher losses. Cyber indemnification typically covers payments for ransomware and forensics associated with cyber events. Insurance companies are divided about underwriting policies that cover ransomware. For example, Beazley’s CEO Adrian Cox stated recently that the insurer would still cover policies that include extortion payments but called for clarification from governments to establish whether such payouts align with public policy.  French insurer AXA announced in May 2021 it would no longer cover ransomware payments for cyber-insurance policies in France.  This stance has the potential to be followed by other big insurance players and jurisdictions. However, this may be not be a desirable situation for most issuers, as an inability to transfer the risk would mean an increased financial burden in the case of an attack.

Recent Cyberattacks

On October 16, 2020, British Airways was fined by ICO an amount equal to GBP 20 million, the largest fine the ICO has ever issued, for data breach affecting more than 400,000 of its customers. During 2018, British Airways experienced a cyber breach, but didn’t realize until two months after the attack because of inadequate security measures used to protect the data. ICO investigations found out that there were weaknesses in the security system British Airways was using despite the availability of higher-rated security systems.

Figure 1 illustrates the current expertise and skills of the board of directors for International Consolidated Airlines (ICA), the parent company of British Airways. Looking at IAG’s board, only one board member out of the twelve possesses skills in technological expertise or information technology.

Figure 1.

 

 

Figure 2

 

Source: CGLytics data and analytics

The second example is based on a cyberattack at H&M. Data breaches are not only related to cyberattacks on customers’ personal data, but also to employees’ personal data. In October 2020, H&M was fined EUR 35.3 million for breaking GDPR regulations over its employees’ personal data. This is the second largest fine issued under the GDPR and the largest fine issued for an employment data breach.  Figure 2 illustrates the current expertise and skills of the board of directors for H&M. Again, only one board member out twelve possessed technological expertise or information technology skills.

Technology Experts on the Board?

CGLytics’(A Diligent brand) proprietary database collects board composition for each company on its platform, as well as the expertise and skills for each board member. Therefore, by using CGLytics’ platform, one can see which expertise and skills a company may or may not have on its board. According to our database, the average percentage of board members with technological expertise on boards in the FTSE-100 is only 8.67%, and 49 companies in the FTSE-100 do not have any technological expertise on their board whatsoever.

The role of the board of directors is to monitor the long-term health of the company. Lacking any sort of technological experience or understanding on a board leaves that company vulnerable to cyber attack. Think of British Airways and H&M as examples: though neither companies are in the technology sector, technology is an integral part of their operations. Moreover, the fact that more and more fines are being issued in Europe after the implementation of GDPR in 2018  makes it even more pressing that the members of the boards of directors should possess a working knowledge of cybersecurity, data privacy and digital transformation.

The Way Forward for Data Protection

When it comes to data protection from cyberattacks, a collective effort across companies, governments and other regulatory bodies to combat and guard data is crucial. Ensure that your cybersecurity software and policies are up-to-date. If your company lacks technological leadership, ensure that the right talent is brought in. Issuers usually make changes to their board composition after a cyberattack by increasing the number of directors inclined with Technology expertise and Skills. Some companies have even begun introducing technology-focused committees of the board.

In addition to appointing tech-savvy directors, it is very important that there is a strong communication between the CIO, CISO, CEO and the board. In most organizations, cybersecurity professionals are at least two layers from the Chief Executive Officer in the company hierarchy, with few opportunities for direct discussion about protection issues and priorities. This brings about little to no formal documentation about the status of defense systems between the cyber function team and the C- Suite. In order to properly protect against cyber attacks, these communications must become more integrated, frequent and deliberate.

Combatting Ransomware Attacks

Confronted with a pressing need to halt the spread of ransomware, regulatory agencies such as the Office of Assents Control (OFAC) and the Security and Exchange Commission (SEC) both in the United States are implementing regulations to prevent companies and organizations from paying extortion money to buy their way out of a Ransomware attack.  These regulations are aimed at strengthening law enforcement agencies with mechanisms which permit them to punish and sanction companies and organizations that choose to pay ransom to attackers in the event of an attack. Consequently, these new regulations and sanctions could likely become the most powerful tool to curb the spread of Ransomware by governments.

In October 2020, OFAC issued a recommendation stating that any amount paid even under the coercion of a Ransomware attack would be a violation of federal sanctions regulations in the United States. OFAC sanctions apply with stern legal responsibility, therefore being a victim to cyber attack will not be a defense. In Australia, the Ransomware Payments Bill 2021 introduced to parliament in June 2021 would also require any business entity or Commonwealth Government bodies that make pay extortion money to ransomware attackers to notify the Australian Cyber Security Centre (ACSC) in writing “as soon as practicable”. According to the bill, they are to include the amount of the payment as well as any other known information about the hackers. The bill did not specify any period for the notification however businesses that fail to report ransom extortion payments would risk fines of up to AUD 222,000 (1000 penalty units). We can expect many other regulations from other jurisdictions to spring up  in the future.

About the Author

Edna Twumwaa Frimpong

Edna Twumwaa Frimpong

Head of International Research

Edna Frimpong is an experienced research analyst with a demonstrated history of working in the information technology and services industry. In her role with the Diligent Institute, Edna oversees and directs corporate governance research projects and partnerships internationally, outside the US. She joined Diligent Institute in 2021 after six years with CGLytics  -- a corporate governance analytics firm based in Amsterdam, The Netherlands, acquired by Diligent -- where she served as Head of Research for the EMEA region. Previously, Edna held research positions at firms including Sustainanalytics and Carnomise.  She received her Master's Degree in Finance and Law from the Duisenberg School of Finance in Amsterdam, and her Bachelor's Degree in Administration, Insurance and Risk Management from the University of Ghana.