90% of directors believe regulators should hold firms liable for hacks

A new Veracode and NYSE Governance Services survey of 276 board members reveals how cybersecurity-related corporate liability is being prioritized in the boardroom.

Nine out of 10 of those surveyed believe regulators such as the FTC should hold businesses liable for cyber breaches if due care has not been followed, and more than 50 percent expect investors to demand more transparency as a result of the increased public focus on cybersecurity liability. Pressure is building for boards and management teams to be especially wary of any corporate behavior that can impact their brand and erode shareholder value.

Security is now the second leading risk to a company’s brand – behind ethical issues and ahead of traditional risks related to safety, health, and the environment. It should come as little surprise that legal risk related to cybersecurity is a major concern for corporate directors, especially as businesses of all kinds increasingly rely on the digital domain to drive competitive differentiation and growth.

The onslaught of high-profile cyberattacks is expected to lead to an increase in legal actions regarding who should be held liable in case of a breach. Three out of five respondents foresee an increase in shareholder lawsuits as a result of heightened corporate liability due to cybersecurity issues.

Nearly 50 percent who knew of the FTC’s lawsuit against a major hotel chain said the case has influenced their executive discussions on cybersecurity liability. In the case, a Federal Appeals Court recently ruled that the FTC can pursue the defendant for failing to employ reasonable data security measures, such as using vulnerable out-of-date software.

90 percent of respondents feel third-party software providers should bear legal liability when vulnerabilities are found in their packaged software. This is particularly relevant because, according to Veracode’s 2015 State of Software Security Report, nearly three out of four enterprise applications produced by third-party software vendors contain vulnerabilities listed in the OWASP Top 10, an industry-standard security benchmark.

Key questions raised by the survey highlight the debate needed to frame the liability issue. For example: When should a company be considered negligent in its processes—or lack thereof—for securing sensitive information? What constitutes ‘reasonable’ efforts to address vulnerabilities in web and mobile applications, libraries and frameworks, and other components in its digital infrastructure? Should companies be held liable for not finding a common and easily-found vulnerability such as SQL Injection? Is it a minimum ‘standard of due care’ to patch widely-known vulnerabilities such as Heartbleed, and should businesses be held liable for failing to do so?

While 94 percent of respondents have increased or are planning to increase their security assessments to address liability concerns, two-thirds of respondents say they have also begun or are planning to insert liability clauses into contracts with their third-party providers.

Respondents also mentioned hiring outside consultants as well as ramping up security training. Many are also increasing audit committee and board-level oversight – a strategy that’s in line with expert recommendations to report on the businesses cybersecurity measures to the audit committee quarterly, and to the full board on a regular basis.

A majority of companies now have cybersecurity insurance – a market set to triple to about $7.5 billion in the next five years – mainly to mitigate financial losses brought forth by liability claims. Of those with insurance, 35 percent currently insure against software coding and human errors that can lead to loss of sensitive data. While insurance is an important mitigation step to mitigate cyber risk, it is insufficient on its own to protect against the full impact of a breach including brand damage and loss in shareholder value.