If You Want to Destroy my Sweater…

…hold this thread as I walk away; so goes the Weezer song.

The LA punk band may not be known for their risk management prowess (shocking, right?), but they were on to something that can be useful in understanding the future of cyber security risk.

[My inner high-school rocker hates what I’m about to do, but strap in: it’s Weezer meets data security.]

What Weezer was getting at is critical for C-suite managers to realize: just like you can destroy a sweater by pulling on a single thread, you can destroy (or at least put in jeopardy) a company’s future with just a single cyber security event.

Let’s walk through this step by step:

• Your company has been doing well lately. Lots of work, lots of happy clients, and lots of happy employees too. This success comes to a screeching halt one Monday morning when you arrive to work to find that every laptop, desktop, and even your servers have been infected with ransomware by some Troublemaker. Even the backups have been compromised.
• Because things had been going so well, you never really took the time to develop a cyber security incident response plan, a data governance framework, or investigate cyber insurance. So, with the network locked up now, you don’t have a plan for dealing with this kind of a problem. Say It Ain’t So.
• As the hours turn into days, your once-happy employee’s payroll costs continue to mount even as they can’t work, your once-happy clients are demanding to be released from their contracts, and your bottom line, both present & future, starts to take a serious hit as the local media gets wind of the story. A friend tells you about a Forensic IT company, and after learning that they charge around $350/hour (and work 24 hrs a day, with 2-3 individuals on the job), you bite the bullet and enlist their services to unlock your systems & repair your corrupted data. For the same price, you could have bought a home in Beverly Hills (well, maybe you could have paved a long driveway and done some nice landscaping…).
• By the time the dust has settled, your business has lost just shy of a quarter million dollars in just under a week’s time. Thankfully (if you can even say the word), you didn’t have much personal client/employee info, health info, or payment card info. If you did, the costs could have exceeded $1,000,000 in the blink of an eye. That would (not) have been a Perfect Situation.

Alright, enough with the indie rock. Let’s get down to brass tacks. At this point, cyber security issues have received enough press and have been experienced by enough businesses, of all sizes and varieties, that, should a business not have some sort of cyber security plan in place, investors, regulators, lenders, and even clients would have standing to ask: “Why haven’t you prepared for this?”. “I didn’t think it would happen to us…” is not likely to be an encouraging response.

This brings us back to our sweater analogy. What starts as a cyber event can morph into a Directors & Officers liability event fairly easily. Home Depot recently settled what’s thought to be the first “successful” cyber-related shareholder derivative lawsuit. The shareholders alleged that Home Depot “…breached their duty of loyalty because the defendants failed to institute internal controls…[and] that the defendants wasted corporate assets.” The case was settled for $1,000,000 and a promise from Home Depot to make changes to their cyber security practices. And while that’s peanuts for a company of that size, the precedent it sets should grab the attention of corporate officers everywhere. Based on this case, corporate officers can be held responsible for their actions and/or inactions within the realm of cybersecurity.

So, how can corporate officers show they’ve considered and planned for a cyber event? Where are they to begin? Anywhere. Just start doing something. Anything. And document it all. Develop an incident response plan. Deploy the NIST Cybersecurity Framework. Run a tabletop claims exercise. Hire an outside firm to administer a phishing simulation and penetration test. Purchase a cyber insurance policy from an agency that knows cyber. And while you’re at it, have your agent review your D&O policy to ensure it’s cyber friendly too. Just pick one path and let your security develop organically from there. If you aim for security, you’ll likely hit compliance, but if you aim for just compliance, you may miss security.

Long story short, if you want to spend your retirement on an Island in the Sun, take time to take your cyber security seriously.