By T.J. Grasmick and Harold ReichwaldWhat happens if your board drops the ball on cybersecurity? Consider what happened to a hospital network in California. Cottage Health System in Santa Barbara spent $4 million to settle litigation and respond to a federal investigation late last year after its patient records were found to be inadequately protected from public Internet access. When Cottage Health made a claim under its “Privacy” policy, its insurer denied coverage, saying the system and its vendor failed to follow “minimum required practices” that it promised to follow.
Among other things, Cottage Health had promised to test computer security regularly; periodically reassess its exposure to cyber threats; select, oversee, monitor and audit third- party vendors of information security management; and take steps at all times to protect computer systems from unauthorized access. The insurance company claimed that the hospital system failed to meet these minimum standards.
This case relates directly to the fiduciary duties and potential personal exposure of bank directors in cybersecurity risks. It illustrates what will be expected of all companies with computer systems that contain sensitive and private information, and it may well set a minimum standard for banks recovering on cybersecurity insurance policy claims.
As data breaches continue to make news and cost banks money, it’s worth remembering that—as with every risk in banking—the final responsibility for addressing cybersecurity risks rests with the board of directors. Directors should start by conducting a thorough cybersecurity self-assessment using the banking agencies’ free new tool.
The board’s responsibilities for risk management and oversight of cybersecurity include being aware of the vulnerabilities of the bank’s operations to attack, including the potential access points into the bank’s systems, including PINs stolen by cameras at ATMs, sophisticated hacks into the bank’s network or employees logging into the network through unsecured airport Wi-Fi. Boards must also understand the bank’s reliance on external vendors and how it monitors its third-party providers. It is critical to ensure the bank has a tested incident management and response program.
The board and senior management must be proactive in their governance of everything cybersecurity by the next exam. This includes using consultants, engaging counsel, soliciting vendors and training staff and directors with data breach exercises. If the board and management do not take these steps, they can expect management and risk ratings to drop—with a distinct possibility that enforcement actions will follow.
A cybersecurity enforcement action will put M&A or other expansion plans on ice. The next shoe to fall may be civil money penalties against the bank—and potentially against individual directors if the corrective action response is deemed to be materially deficient. Addressing cybersecurity risks belatedly after shortcomings have been identified by examiners or, worse yet, after a significant and successful cyberattack, will entail much higher costs for consultants, enhanced technology and training.
Directors should also consider their bank’s cyber insurance coverage and evaluate whether the bank is meeting its obligations under the policy. Cybersecurity insurance is an evolving product, and many carriers tend initially to deny coverage if policy language is unclear and other policies will be affected by its actions. If insurance companies follow the pattern set when BSA/AML enforcement actions bloomed, they will exclude cybersecurity coverage completely if the bank has had an incident or a regulatory enforcement action, or they will charge absurd premiums as they did for D&O coverage.
Directors of publicly traded banks and bank holding companies should be concerned about shareholder suits after a data breach alleging neglect of fiduciary duties, gross mismanagement and waste of corporate assets arising from the board’s failure to take sufficient steps to protect customers’ personal information.
In these cases, the claims could involve not only the failures that occurred before the cyber attack but also for the way in which the board and management conducted the affairs of the bank as it responded to the data breach.
Bank boards should address cybersecurity issues on a regular basis. At least one director should be thoroughly familiar with the threats posed by a cybersecurity breach, and all directors must be inquisitive, informed and instrumental in governing the bank’s cybersecurity risks. Otherwise, the next examination may be the start of a long, painful and costly regulatory enforcement experience.
T.J. Grasmick and Harold Reichwald are Los Angeles-based partners at the law firm Manatt, Phelps & Phillips, LLP.