What The Boardroom Thinks About Data Breach Liability

The New York Stock Exchange and Veracode surveyed 276 board directors or senior execs of publicly traded companies on the subject of data breach liability and I find the results interesting.

It is important to understand that these are very large companies and when it comes to cyber risk, they are likely at the top of the learning curve.  Still, what they think today is likely what the rest of the companies will think in a few years.

That said, here are some of the results:

1. 90% believe that regulators should hold companies liable for breaches if they didn’t properly secure their data.  This answer really hinges on the definition of “properly”.  Still, these board members are not trying to get out of their responsibility, which I think is great.
2. 90% also think that third party software providers should be held liable for vulnerabilities in their code.  While this sort of tracks with #1 above, if you are a software vendor and sell to big companies, I would worry about this.  If what this means is that they want you to fix the bug, that is not a big deal.  If what it means is that they want you to pay for the breach if the attackers got in due to a bug in your software, that is a BIG problem.
3. 65% say that they either have already or are planning to include liability clauses in their contracts with software suppliers.  If you are a software vendor, this could dramatically affect your business and would likely change what cyber liability coverages you buy and at what amount and indirectly, your cost of doing business.
4. When it comes to cyber insurance, 91% have some form of insurance including business interruption and data restoration.  54% have coverage for fines, breach notification and extortion.  35% say they want coverage for software coding and human error when it leads to a breach.  This last coverage is not well defined yet and could be expensive.
5. 52% say they are buying employee or insider threat coverage.  This is smart because a goodly percentage of breaches are due to acts of omission or commission by insiders.

What is unclear at this point is what the regulators and insurance companies are going to demand.  Companies can wait for the regulators (like the very detailed proposed rules from the NYDFS) or companies can get ahead of the power curve.

What seems clear is that with insurance companies beginning to raise premiums and deductibles significantly (premiums in retail went up 32% in the first half of 2015;  Anthem had to accept a $25 million deductible when the renewed their insurance this year), what is next is insurance companies examining business practices much more closely before granting or renewing coverage – some carriers have already started doing this.

Businesses have two choices – wait and hope they can scramble fast enough when the regulators or insurance carriers call on them or get ahead of the power curve – the choice is a business decision that may impact the future of the company.  Big NYSE companies can afford to hire experts when this happens and pay them $50 million to get the tushes out of a crack.  For smaller companies, even if that bill scales down to $5 million, it might be a problem.  And, even if you spend the money, the inside resources that are needed to execute these plans will likely be significant.

Interesting food for thought.

Information for this post came from Dark Reading.

by