Cyber breach: Assume your client will be hacked

Directors and officers do not have to be flawless in their cyber security controls but need to come up with a cyber incident response plan and practice it on a regular basis, speakers told insurance professionals at a recent conference.

“You need to assume you are going to be hacked,” Richard Nesbitt, chief executive officer of the Global Risk Institute said at the recent International Cyber Risk Management Conference.

The way most companies manage a cyber attack “has often made the problem worse,” he said during an ICRMC session titled Shall We Play a War Game?

That session began with a dramatization, with Nesbitt playing the role of the CEO of a corporation that was rumoured to have fallen victim to a cyber attack – and was not prepared to respond. The aim “was to show that you should have a good post-breach action plan,” and you should practice it before a cyber breach happens, said Alex LaPlante, managing director of research at the Global Risk Institute.

A CEO needs to be “directly responsible” for managing the response to a cyber incident, Nesbitt suggested.

“This is not something that I, as CEO, can delegate to somebody else,” Nesbitt said. “When the proverbial hits the fan, the CEO will be brought into it and if they are not part of this planning, part of this role playing – they will be the least equipped to make decisions.”

ICRMC Produced by MSA Research Inc. and held at the Metro Toronto Convention Centre last week.

Also on the war game panel was Steve Tenai, a lawyer for Aird & Berlis who has defended corporate clients against class-action lawsuits.

After a breach occurs, company officials should not use words like “guarantee” or “assure” when talking to customers, shareholders or the general public, Tenai said.

Tenai suggested courts and regulators are not expecting “perfection” from directors and officers in preparing for or responding to cyber incidents.

“You have to plan for contingencies and you won’t be judged on perfection,” he said. “Legally you will be judged on how prepared you are and how seriously you looked at testing your controls and looking at deficiencies and remedying them.”

A case in point was Home Depot, whose payment card system was hacked by criminals in 2014.

Court records indicate that in 2014, Home Depot’s payment card system was hacked by criminals. A class action lawsuit in Ontario was settled.

The total fees requested by the plaintiffs’ law firms was nearly $407,000 but the judge approving the settlement only approved fees of about $120,000.

This is because “the court said there was no case here, and the regulators were satisfied,” Tenai said April 12, 2018 at ICRMC.

“Why is that? Because we don’t live in a world of perfection and anyone who says ‘can you give me assurances that everything is okay’ is in la-la land and isn’t taking their responsibility seriously,” Tenai added.

In the Home Depot hack, the only customers affected were those who swiped their cards at self-checkout terminals that had been affected by malware, Justice Paul Perrell of the Ontario Superior Court of Justice wrote in his ruling approving the settlement, released in August, 2016 and indexed as Lozanski v. The Home Depot Inc.

“The real villains” in that breach “were the computer hackers, who stole the data,” Justice Perrell wrote in Lozanski v. The Home Depot. “After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach.”