Cyber security was once the sole responsibility of IT and not a business risk discussed in boardrooms across the country. But the landscape has significantly changed and cyber security is now a front-and-center issue for directors and officers across all industries, including the hospitality segment (hotels, resorts, restaurants) and real estate industry, among others.
High-profile incidents, such as the data breaches at retailer Target last year and at hotelier Wyndham Worldwide Corporation between 2008 and 2010, among others, has put the onus of cyber security squarely on the shoulders of officers and directors. This is especially so as a new breed of lawsuits allege that board members were asleep at the switch in light of the known exposure.
For example, Wyndham’s cyber security-related derivative lawsuit involves the organization and certain of its directors and officers as a result of data breaches that occurred over a two-year period. The Wyndham complaint specifically alleges: “In violation of their express promise to do so, and contrary to reasonable customer expectations” the company and its subsidiaries “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.” Moreover, the complaint alleges further that the individual defendants “failed to ensure that the company and its subsidiaries implemented adequate information security policies,” and the company’s property management system server “used an operating system so out of date” that the company’s vendor “stopped providing security updates for the operating system more than three years prior to the intrusions” and allowed the company’s software to “be configured inappropriately.”
Indeed, we’ll have to wait for the outcomes of such lawsuits against directors and officers, but it’s clear that boards now play a pivotal role in preventing and detecting risks associated with information security breaches. This was underscored by the SEC during its Cybersecurity Roundtable in March, where one of the principal takeaways was the instrumental role a board of directors and senior management should play in leading an organization’s cyber security preparedness and resilience to cyber security attacks.
Directors rely on their management team as well as third-party vendors and consultants to implement measures to prevent data attacks, but they also have a fiduciary duty to ensure that cyber security risks are being managed properly. What can they do to help fulfill their fiduciary duties? Following are several recommendations, as provided in an article that appeared in The Privacy Advisor:
- Through briefings from senior management and others, develop a high-level understanding of cyber risks that a company faces.
- Consider retaining outside consultants to evaluate the company’s security risk management.
- Assign at least one committee to be responsible for overseeing and understanding cyber security issues, controls and procedures.
- Ensure that the vendors a company retains have adequate security measures in place to protect data and that there are sufficient contractual clauses between the company and the vendor regarding such security.
- Promote and facilitate a culture that views cyber security as a business issue that all employees understand and participate. Companies should consider holding employee training and awareness programs around cyber issues.
- If possible, have a cyber expert on the company’s board of directors or receive regular reports from a cyber security expert to discuss at board meetings.
- Implement an updated plan to respond to a cyber security attack in the event of a data breach, etc. Senior management should become familiar with the legal and contractual requirements to determine what steps they would be required to take if the company fell victim to a data breach. These requirements, including notifications, vary by state.
Of course, any cyber plan must include Cyber Liability insurance. In addition, organizations should review their directors and officers insurance to see if coverage will respond to data breach lawsuits. IPOA provides Data Breach coverage through our HotelPro program. We also provide comprehensive insurance programs not only for the hotel sector but also for the real estate industry and senior living. For more information about our programs, please call 877.653-IPOA (4762).