The impact of the coronavirus pandemic is widespread and far-reaching. Nearly every facet of life and every country has been affected. Notably, COVID-19 has had a tremendous impact on the sporting and entertainment sectors, with nearly all major events cancelled or postponed. As those around the world are “sheltering in place,” alternative forms of entertainment are being pursued. And virtual sports and events appear to be the latest craze in this regard.
Less than a year ago, Bold Business highlighted the rapid emergence of esports. Projections at that time suggested the virtual sports industry would surpass $3 billion by 2022. However, in light of current events, these predictions may dramatically underestimate its growth. In fact, major sporting events are already being held online with incredible participation and viewership. The impact of the coronavirus pandemic is tangible. And its broad effects are likely to leave a lasting impression on all sporting events to come.
“People that I’ve spoken to over years that have had no interest at all in gaming suddenly want to be involved. It’s insane. I’ve never seen anything like it. When you’ve got people who never showed any interest in [simulated] racing suddenly trying to buy rigs and practice, then you know that something’s changed.” – Darren Cox, President and CEO of Torque Esports
Virtual Sports Filling the Gap
In recent weeks, several sporting events and even seasons have been completely cancelled. The NBA stopped with 2019-2020 season after members of the Utah Jazz tested positive for the coronavirus. Likewise, the NHL, MLB, and MLS followed suit with all matches being cancelled. Similarly, other major sporting events, like the Grand Prix series, also found it prudent to halt the races already on the schedule. Without question, these stoppages will cost millions if not billions of dollars. But at the same time, it leaves a major void for both athletes and spectators alike. Fortunately, that’s where virtual sports can help.
Thanks to the coronavirus, it may be time for virtual sporting events to take over.
When Australia’s Grand prix was cancelled, both Torque Esports and Veloce Esports jumped into action. Torque Esports created “The Race” as a replacement virtual sports context among e-drivers using simulators. Veloce Esports launched “Not the Aus GP” virtual sports race, which was similar in nature. For Torque Esports, over half a million viewers streamed the race live with over a million total views. And over 70,000 watched Veloce’s race live on Twitch.TV. The increase in viewership was incredible. But what was even more impressive was the increased interest in participation.
“In times like this I think there is a huge potential for us to be able to leverage our newly-developed product around esports to see how we can plug the gap we now have in the F1 calendar.” – Julian Tan, Head of Digital Business Initiatives & Esports at Formula 1
From Field to Screen – Transferring to Virtual Sports in Record Time
While millions tuned into sporting events being streamed in the virtual space, others wanted in on the action. In “The Race,” Red Bull F1 driver, Max Verstappen, was among the participants. Likewise, Indy 500 winner, Simon Pagenaud also competed in the virtual sports event. Torque Esports reported that 30 real-world drivers actually competed in the event. For Veloce, the level of interest among real athletes was the same. Their competition showcased the e-driving skills not only of McLaren’s Lando Norris but also Real Madrid’s goalkeeper, Thibaut Courtois. Apparently, virtual sports are a great alternative when real professional sporting events are absent.
Of course, virtual sporting events have offered much more than Grand Prix racing venues. NASCAR has gotten in on the action as well. Partnering with iRacing, NASCAR held an eNASCAR exhibition race that included celebrities like dale Earnhardt Jr. Viewership was so large that NASCAR has since decided to hold a Pro Invitational Series in the same format. Also, once the NBA season was cancelled, the Phoenix Sun announced they would continue their games on NBA 2K. This is not surprising since many professional teams have already been developing their own e-sports versions. But these decisions to move ahead quickly is noteworthy in the aftermath of the coronavirus pandemic.
“Until we have cars back on track, the entire NASCAR community has aligned to provide our passionate fans with a unique, fun and competitive experience on race day.” – Ben Kennedy, NASCAR’s Vice President of Racing Development
No Shortage of Money for Virtual Sporting Events
One of the early concerns regarding virtual sporting events involved revenues. Without traditional on-field attendance, ticket sales would be less. Likewise, without big TV contracts, like those with ESPN, television revenues would be lacking also. But virtual sports have already proven that it is doing just fine when it comes to revenues. The booming esports industry has already exceeding $1 billion in annual earnings. And spectators will happily pay for streaming costs and virtual entry into sporting events as recent history has shown. This is even more likely the case given that virtual sports have a more captive audience sitting at home.
In addition to these revenues, advertising dollars are also huge. For example, Intel pays over $10 million a year to sponsor the Overwatch League. Likewise, Nike pays $8 million as a sponsor for League of Legends. And this was before the coronavirus pandemic ever began. As spectators, participation, and higher-level competition evolves, virtual sports will attract more and more advertisers. And given that these sponsors no longer had traditional sporting events to support, virtual sports offer a great alternative.
“We always said we were blurring the boundaries between virtual and real. They’re blurred, they’re gone, they’re done. Forever.” – Darren Cox
An Evolving Paradigm Shift
Understandably, the sports that have migrated the fastest to virtual sports are those like racecar driving and gaming. But it is notable that leagues like the NBA and NFL have shown interest in creating their own e-sports leagues. By all accounts, this evolution was expected to take several years. This had less to do with development and more to do with social trends and acceptance. But coronavirus may have changed all of that by serving as an unexpected catalyst to the process. If the pandemic lasts several months, those who normally attend sporting events will be increasingly attracted to virtual sports. And once the jump is made, there is likely no turning back.
The risks associated with cybersecurity and data privacy protections are well recognized in today’s world. A number of high-profile cases have emerged recently showing how important it is for companies to address these risks. But some degree of confusion exists regarding the corporate fiduciary duty that company directors have in this area. And without definitive rules and standards as of yet, knowing how best to protect one’s self in such an environment is challenging.
With this in mind, Bold Business sat down with its own cybersecurity and data privacy protection expert, Matt Nelson. As Chief Security Solutions Consultant, Matt excels in risk-based IT security strategies and enterprise-scale security solutions. And with over 20 years’ experience leading security operations and governance, risk, and compliance organizations, his insights are extremely valued. Regarding cybersecurity and data privacy issues and corporate fiduciary duty, the following summarizes Matt’s perspective on today’s environment.
Corporate fiduciary duty and cybersecurity go hand in hand.
Bold Business: According to some statistics, cybercrime is predicted to reach a level of $6.1 trillion in 2021. In terms of enterprise risk, at what level of priority do you see cybersecurity and data privacy an issue for corporations?
Matt Nelson: Cybersecurity and data privacy risks are operational business risks that need to be considered. These need to be prioritized alongside all other identified business risks. Traditionally, they have been treated separately at the level of a CSO or CISO. But they belong at the risk committee level. In essence, must be considered at par with other risks as part of a company’s overall risk equation. Just as with other operational risks, decisions need to be made about which parts of the business are at risk. Likewise, the value at risk and risk transfer options (contractual or insurance-related) should be considered.
When cybersecurity and data privacy risks remain down in the IT trenches, risk treatment options are rarely part of Board discussions. In fact, Board members may not even be aware that critical business processes are at risk. This can leave Board members blindsided and the company vulnerable to litigation and fines. This is especially true if a company is found liable of negligence due to poor cybersecurity and data privacy practices.
Bold Business: Corporate directors and executives are assigned a duty of care and a duty of loyalty as corporate fiduciary duty. Can you explain these responsibilities and how they relate to cybersecurity and data privacy matters?
Matt Nelson: Duty of care and duty of loyalty are major responsibilities of corporate directors and executives. Improper execution of this corporate fiduciary duty can result in liability loss exposures for companies. Duty of care requires that corporate management keep themselves informed of corporate audit and risk committee findings. Likewise, this requires them to exercise reasonable care in making informed business decisions. This does not mean they have to become experts in cybersecurity and data privacy. But it does mean that they need to be aware of the information coming from their risk officers. If they see a gap in what’s being provided, they should ask for cyber risks to be communicated to the Board.
Duty of Loyalty is not as obvious as a corporate fiduciary duty in the cybersecurity and privacy risk space. Company officers have a duty to their stockholders to act in the best interests of the company. Likewise, they have a duty to protect stockholder investments as part of their responsibilities. It is noteworthy that cybersecurity and privacy risks can expose a company to regulatory and contractual losses. And this, in turn, may result in adverse impacts to the financial health of the company.
Bold Business: When it boils down to it, who has primary oversight responsibility and corporate fiduciary duty for a company in terms of cybersecurity and data privacy?
Matt Nelson: A company’s Board of Directors has the primary oversight responsibility for all risk as part of their corporate fiduciary duty. This oversight includes responsibility for ensuring that their enterprise risk management program assesses, monitors, and reports on cybersecurity and privacy risks. And this includes their potential impacts to the company’s bottom line. This level of visibility will assist in the protection of company assets. Such assets include both intellectual property as well as assets belonging the clients and partners.
Bold Business: One of the criteria for duties of care is to reasonably attain all relevant information and critically analyze it. How does this apply to cybersecurity and data privacy in practical terms?
Matt Nelson:While it’s true that duty of care requires critical analysis, it does not necessarily require that the Board suddenly become cyber-experts. However, this corporate fiduciary duty does require oversight officers to include cybersecurity and data privacy risks in their risk portfolio. Likewise, risk/audit committees, depending on the Board’s structure, should address these risks in terms of legal, contractual, and regulatory requirements. This should include recommendations from risk/audit committees on risk treatment actions, whether it be avoidance, retention, or transfer. And such recommendations may include options for cyber-insurance risk transfer for the Board to consider.
Bold Business: What aspects of a crisis protocol in dealing with cybersecurity and data privacy breaches are needed for them to be effective and comprehensive?
Matt Nelson:Risk management addresses the potential frequency and severity of risks. Likewise, it also determines how risks will be treated in the event of a loss (assuming pure risks). And risk management focuses on loss prevention controls, crisis management responses, and recovery activities during a specific event. The purpose of a crisis management plan when dealing with cybersecurity and data privacy breaches is to minimize harm. This includes threats to the organization’s information assets as well as the business processes operated by those assets.
Overall, a crisis protocol requires a documented Business Continuity Plan based upon an up-to-date Business Impact Analysis. In addition, it requires documented and tested response and recovery procedures. And lastly, the personnel responsible for the execution of the plan must be identified and trained. If organizations don’t have these resources in place, a partner may need to be identified to assist with these activities. Some cyber-insurance firms provide these resources as part of cyber-claim activities. In many cases, a company may actually already have a trusted partner working with them on other remediation activities.
Overall, such a crisis protocol is normally included in corporate fiduciary duty related to cybersecurity and data privacy. An organization should realize that inadequate crisis management may result in serious adverse losses for the corporation. These may include not only financial and reputational damage but legal actions, fines, increased premiums, and loss of competitive advantage.
Bold Business:Do you see value in having corporations requesting independent audits of their company’s cybersecurity and data privacy risks, and if so, how often should these be performed?
Matt Nelson:Independence is a fundamental audit principle, and it applies to both internal and external audits. An internal auditor is not allowed to audit any area where they have contributed to the design of the controls. Likewise, an external auditor is not allowed to consult on controls design and then audit those controls.
An organization may choose to employ a combination of internal and external auditors for several reasons. Even when an internal audit function exists, an organization may choose to use external auditors to enhance their audit program. This provides an independent view of cybersecurity and data privacy risks. Also, an independent external audit is protected from management influence that might result in inadvertent bias. Finally, internal auditors may need the services of an external auditor in specialized areas that are not their core areas. This is especially true for areas involving new and emerging technologies and for audit processes that might benefit from improvements.
In some cases, contractual or regulatory agreements determine the frequency of cybersecurity and data privacy risk audits and auditor qualifications. For example, payment card companies define the type and frequency of PCI security audits required. The PCI Security Standards Council similarly determines auditor qualifications. Other cybersecurity and data privacy audits, such as US FedRAMP and ISO 27001, operate programs requiring registered external auditors. ISO 27001 requires annual internal audits which may be performed by an organization’s audit staff. It also requires an external audit by a qualified assessor on a three-year cycle. Other regulatory bodies, such as Centers for Medicare and Medicaid Services (CMS), require a three-year cycle with all controls tested. These audits must be performed by independent auditors, whether internal or external.
In general, it is recommended that an audit of security controls be performed whenever new controls are implemented. The same is true when new technologies are deployed that change the design and behavior of existing controls.
Bold Business:Many companies rely on periodic summary reporting measures internally to oversee and monitor cybersecurity and data privacy risks. Are these effective in meeting corporate fiduciary duty and related responsibilities, and how often should such reports be generated?
Matt Nelson:Periodic summary reports may be used as a way of reporting identified risks. It is essential for risk committees and Boards to review these reports and address material cybersecurity and data privacy risks. It is essential that processes be in place to assess potential business and financial impacts of these risks and ensure that mandatory disclosures take place. This is certainly true for public companies or companies required to report to regulatory bodies on a periodic basis. Periodic summary reports may also be used in a measurement program where several periods are combined together. These can then be used to track risk trends and gain visibility into areas where further controls reviews are needed.
Bold Business:The Dodd Frank Wall Street Reform and the Consumer Protection Act requires financial institutions to have an independent risk committee to assess enterprise risk as part of their corporate fiduciary duty. Do you encourage this for all corporations in addressing risks related to cybersecurity and data privacy protections?
Matt Nelson:An enterprise-wide risk committee gives the company an advantage when evaluating risk and making risk-based business decisions. Enterprise risk allows for assessments across all risk quadrants (hazard, operational, financial, and strategic) and the organization’s business units. This broader view makes it possible to detect trends and inter-dependencies. And it is part of corporate fiduciary duty.
An example of this would be when equipment no longer supported by the manufacturer is not replaced. In the presence of an obsolete operating system not receiving security patches, a cyber-attack could result in loss of operations. This could result in the shutting-down of a manufacturing plant and cause serious financial loss. This would be certainly true if the operating system was susceptible to ransomware.
If risks are looked at holistically as part of corporate fiduciary duty, the potential for financial loss can be identified. This would then encourage system upgrades to prevent such loss or risk. But in the traditional siloed approach, the IT manager may not have the necessary data to justify the funding needed to replace the systems. This type of scenario may be remedied by communicating and sharing risk information across various silos. This can best be accomplished under the leadership of an enterprise risk management officer reporting to a risk management committee. Consolidating data and looking for patterns that would be undetected in the silo approach naturally leads to better business decisions. And this is an advantage of enterprise risk management approaches over traditional risk management ones.
Bold Business:There remains some ambiguity regarding what exactly reflects adequate cybersecurity measures and oversight. What level of risk do today’s corporate directors and executives have personally in terms of breaching their corporate fiduciary duty related to cybersecurity and data privacy?
Matt Nelson:The major corporate fiduciary duty of company officers involves duty of care, duty of loyalty, duty of disclosure, and duty of obedience. At times, directors may try to invoke the business judgement rule to excuse poor business decisions for duty of care. But this rule will fail to justify choices if available information was not incorporated into appropriate business decisions. Failing to make use of this information is generally perceived as negligence of corporate fiduciary duty involving duty of care.
Similar issues exist with duty of obedience since corporate officers are obliged to comply with all federal and state laws. GDPR, HIPAA and state privacy laws mandatory cybersecurity and data privacy breach notification disclosures. These alone require companies to have measures in place for detection and disclosure of such breaches.
In recent years both the Yahoo! and Equifax data breaches have resulted in D&O litigation. This highlights corporate obligations to report cybersecurity and data privacy breaches to the Board along with planned mitigation activities. The risk committee of the Board must then ensure that these breaches are being addressed. And likewise, they must ensure they are reported in accordance with all contractual, regulatory, and statutory requirements.
Bold Business:Do you believe specific structures and activities will be better defined legally for corporations in dealing with cybersecurity and data privacy risks in the future?
Matt Nelson:Absolutely. Recent derivative lawsuits against corporate officers resulting from large cyber breaches (Target, Equifax, and others) support this. They have shown the importance of ensuring that Boards have adequate visibility of cybersecurity and data privacy risks. This allows these types of risks to be considered, prioritized, and managed in the same manner as other company risks.
The SEC has already produced guidance documentation in this area regarding disclosure requirements. However, this represents guidance and not law at the current time. It is important to note that the SEC has been cautionary in its language. It has stated:
“Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”
Even if not law, the SEC’s statements have raised awareness. These comments suggest that Boards are expected to consider cyber risks in the same light as other risks for disclosure. In the meantime, it is clear that cybersecurity and data privacy risks are real and are not going away. Therefore, the best defense under the business judgement rule is to ensure processes are in place to provide actionable cyber-reporting. This should be provided by the risk committee, and Board members should consider these risks alongside all other business risks.
If the Board does not feel it has the necessary cyber skillsets, cyber-training and legal counsel may be required. This can shed light on what information should be available and how due care should be provided for potential cyber-breaches.
