Board Oversight and Cybersecurity - What are the Risks to Your Company?

Does your board exercise proper oversight over cybersecurity risks? Directors and officers have fiduciary duties to protect the assets of their companies. This obligation covers digital assets, including corporate information, applications, and networks. The scope of the obligation is defined, in part, by laws and regulations that impose specific privacy and security obligations on companies.

The threats to digital assets are real, and companies are increasingly grappling with how best to manage network infiltrations, denial-of-service attacks, and other cyber-threats. In this context, a new report found that while boards are engaged in risk management, the link between cybersecurity risks and enterprise risk management remains poorly understood.  

The report, How Boards & Senior Executives are Managing Cyber Risks, is based on a survey conducted by Carnegie Mellon CyLab.  This is the third survey that CyLab has conducted and its findings reveal that, for many companies, boards do not have sufficient information to properly oversee the management of cybersecurity risks. 

CyLab identified the following areas as specifically lacking:

  • "Reviewing budgets, security program assessments, and top-level policies;"
  • "assigning roles and responsibilities for privacy and security;"
  • "and receiving regular reports on breaches and IT risks."

The report also noted that little attention is focused on risks related to vendor management and observed:

"the low response for vendor management is concerning because it indicates that the privacy and security of data at cloud and software providers and outsource vendors are receiving little oversight."

In comparing findings across industries, CyLab found that the financial sector has some of the strongest privacy and security practices in place, while energy and utilities had some of the weakest governance practices. 

The report concludes with a set of recommendations to boards and senior management.  These recommendations include: 

  • "Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility."
  • "Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans."
  • "Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident."
  • "Require regular reports from senior management on privacy and security risks."
  • "Require annual compliance audits and test incident response, breach notification, disaster recovery, and crisis communication plans."

Data breaches, and loss of user data and other sensitive information, pose significant legal and reputational risks for companies. All companies should ensure that they have the systems and policies in place to manage risks to digital assets. These systems need to be regularly evaluated and properly resourced: this requires top-level attention from senior management and the board.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Corporate Social Responsibility | Attorney Advertising

Written by:


Foley Hoag LLP - Corporate Social Responsibility on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.