In 2022, a record number of cyber attacks was reached. There was a particularly notable increase in those based on obtaining the credentials of template members, installing malware, phishing, smishing or denial of service. It is worth noting the interest that criminals have in attacking employees and their derived risk towards the supply chain. This approach enjoys great success among the friends of others, as it is very successful (ROI) and it is very safe for them.
Some of the world’s largest and best-known companies fell victim to cyber incidents. Indeed, no one is safe: Apple, Cisco, Meta, Samsung, Twitter and Uber, among others. But it should not be forgotten that individuals and SMEs are also the target of attacks.
As if that weren’t enough, cyber attacks have become increasingly sophisticated, often causing immense damage to businesses and governments around the world. In May 2022, for example, the Costa Rican government was forced to declare a state of emergency after a criminal group attacked its institutions with ransomware.
Businesses suffer significant consequences not only from the data breaches themselves, but also from the litigation that often ensues. To illustrate with an example, last year T-Mobile settled a class action lawsuit after a data breach for 350 million.
Government and regulatory agencies have also taken note of the problem and are building pressure for companies to respond effectively to cybersecurity incidents. Among these pressures, the imposition of heavy fines stands out in cases in which they do not show due diligence in preventing them. Boards of directors around the world are under fire and are facing shareholder complaints, as is the increasingly common case in the US.
The main cause is the alleged breach of management’s cybersecurity supervision duties.
According to a final decision of the US court, managers may face personal liability for failing to prevent damage, particularly in circumstances involving lack of diligence or knowledge of a situation of deliberate provision of a low degree of compliance (bad faith). Bad faith may be established based on allegations that the board ‘completely failed’ to implement monitoring or reporting systems, or lack of oversight or inadequate oversight of cybersecurity.
In one high-profile case, plaintiffs sued after a data breach at Marriott International Inc. exposed the personal information of up to 500 million guests of the hotel chain. The plaintiffs accused management of “failing to fully discharge its oversight responsibilities, turning a blind eye to known compliance violations, or knowingly failing to remedy the cybersecurity flaw.”
There are many cases that demonstrate the need for companies and their managers to remain alert regarding the risk of cyber security. The decisions outline certain “bad practices” to be avoided, including the failure of committees with cybersecurity oversight responsibilities to regularly report, to adequately consider industry warnings, and to conduct appropriate cybersecurity due diligence on acquire a company
Cybersecurity should be a "Critical" risk that businesses and boards of directors need to effectively manage and monitor.
The lawsuits allege violations of “positive law” by referring to industry standards promulgated by regulatory bodies and associated legal requirements.
As more companies become subject to laws and regulations governing cybersecurity practices, lawsuits will focus on allegations of failure to comply with those requirements. The rules being proposed would impose new cybersecurity requirements on businesses, including regular reporting on policies and procedures for identifying and managing cybersecurity risks, the role and expertise of management in assessing and managing cybersecurity risk. , as well as the implementation of security policies and procedures.
The organization must ensure that the board, or designated committees with responsibilities for cybersecurity, receive appropriate management reports. Those reports must address, at a minimum: external risks, cybersecurity in relation to the supply chain, the plan to implement adequate protections against cyber intrusions, internal risks, cybersecurity programs and cyberinsurance coverage, procedures and training/awareness related to the cybersecurity.
Given the proliferation of highly sophisticated cyberattacks and recent court cases addressing a board’s cybersecurity oversight duties, companies must remain focused on cybersecurity risk.
By taking the steps discussed, you will be in the best position to properly assess and track cybersecurity issues and limit associated legal and regulatory exposure.
Update on the NIST2 regulation regarding Board of Directors Oversight and Accountability.
For the first time, NIS2 specifically places an obligation on management bodies, including those (including C-Suite members) to implement and comply with enhanced security measures and alludes to the possible consequences of not doing so.
According to the official journal of the European Union, “Member States shall ensure that any natural person responsible for or acting as a representative of an essential entity with powers to represent it, the authority to make decisions on its behalf or the authority to exercise control over it has powers to ensure that it complies with this Directive. Member States shall ensure that such natural persons can be held liable for their breach of their duty to ensure compliance with this Directive.”
In this sense, from Kymatio we highlight the need to address:
(89).. “adopting a wide variety of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management, or awareness of users, and they have to organize training for their staff and raise awareness about cyberthreats, the illegitimate capture of confidential data or social engineering techniques.”