By Jeff Welgan, Head of Executive Training Programs, N2K
This is the third post in a six part series about cybersecurity risk. Each week we discuss a different category of enterprise risk and how cybersecurity impacts those risks at the board and executive level. This week focused on Compliance Risk, represented by the natural disaster of floods. Use the links below to access the other articles in the series:
Part One – Introduction
Part Two – Financial Risk
Hack Me Once: Shame on You. Hack Me Twice: Shame on Me. Hack Me Three Times: Get Sued by the FTC.
Flooding is often the result of two main causes: Mother Nature or engineering failures. Sometimes the latter exacerbates the former. For example, when dams or levees break during a storm surge, the damage can become exponentially worse. And just as society handles nature’s environmental challenges with engineering solutions, organizations manage cyber risk with technical solutions.
But what happens when the equivalent of cyber levees and dams continually fail?
The Drowning of Wyndham
Between 2008 and 2010, Wyndham Worldwide Corporation (WYN), a resort and hotel holding company, was breached three times. The breaches resulted in the loss of 619,000 records, primarily comprised of customer credit card information. This stolen information led to fraudulent charges amounting to $10.6 million.
Wyndham’s breaches drew special attention from the FTC because they came at a time when the FTC was establishing its authority as a regulatory power over data security policies. The size and scope of the breaches represented an opportunity for the FTC to assert its influence. In 2010, the FTC served fourteen (14) separate, detailed inquiries, each seeking information related to Wyndham’s security policies, IT infrastructure, and the databases where customer records were stolen – not once, but three times in two years.
The FTC eventually filed a lawsuit against Wyndham in 2012. The FTC’s complaint, which detailed a long list of Wyndham’s basic security failures, concluded that Wyndham’s poor security posture “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” These security failures included weak user IDs and password requirements, lack of firewalls, insufficient network segmentation, and storing sensitive information in plaintext (rather than encrypting it). These security weaknesses made it possible for Russian cyber criminals to eventually hack their way into Wyndham’s data center.
Aside from Wyndham’s cybersecurity failings, the FTC claimed Wyndham misrepresented its existing cybersecurity measures to its customers. In other words, the reality of Wyndham’s security policies fell short of the promises Wyndham made to its customers about how it was protecting their sensitive information.
On top of the FTC charges, shareholders filed a derivative lawsuit against Wyndham and its Board of Directors in 2014, arguing the two entities failed to take the necessary steps to prevent a breach. Although Wyndham succeeded in dismissing the suit, the company still incurred losses of both time and money in battling this lawsuit.
Wyndham eventually settled with the FTC. The company estimates that the total breach-related cost – including legal penalties and vendor fees – exceeded $5 million. This figure doesn’t even account for the costs incurred during the subsequent inquiries, which totaled an additional $5 million. A large chunk of this cost was likely spent on printer toner, as Wyndham had to supply the FTC with 1 million pages of hard copy documents. The time-related costs were astronomical.
Not Different, Just New
Compliance is a familiar term to board members. For every director, meeting standards and various regulations are normal parts of the job. Cybersecurity compliance is not more complicated — it’s just new.
The FTC and SEC are increasing their scrutiny of companies that are slow to comply with the latest cybersecurity laws and regulations. Lapses in compliance have prompted the FTC to bring 60 cases since 2002 against companies that have put personal consumer data at unreasonable risk.
A Secure Dam
With proper preparedness, awareness, and actions, organizations can be prepared to manage cyber breach and its associated consequences. The following actions are simple, but they will help in navigating regulatory complexities:
- Designate a team or individual responsible for monitoring changes in the cybersecurity regulatory environment.
- Establish relationships with law enforcement agencies and regulatory bodies. Failure to follow this suggestion is what legal experts contend sunk Wyndham. They resisted cooperating with the FTC and other regulatory bodies. Wyndham aggressively fought the FTC in every step of the breach response, from reporting to settlement.
- If your activities and data cross borders, understand the requirements of foreign regulators. European regulators, for example, have particularly strict privacy laws and requirements.
- Ensure there is clear communication between your C-suite and General Counsel.
These actions incorporate awareness, communication, and common sense: tried and true tactics for minimizing compliance risk, and risk overall. By applying these known principles to a new issue, such as cybersecurity, organizations can confidently confront this challenge to avoid drowning in the consequences of non-compliance.
Cyber-related risks evolve quickly and can affect your entire organization. Understand your compliance risks and plan accordingly. Need more training? Contact us. N2K provides training in the boardroom, at board and executive retreats, and in workshop settings.
Stay tuned for the next blog in this series covering Strategic Risk.