The Board of Directors and Cybersecurity: Setting up the Right Structure

Security breaches have become a staple of the daily news. A national restaurant chain announced in August 2014, that a payment card processing system breach involved 33 restaurants in 18 states and that the incident lasted nearly six months. In December 2013 and January 2014, three major retailers acknowledged cyber-attacks affecting over 70 million customers; in October 2013, a major software company acknowledged that hackers had accessed customer names and card information for up to 2.9 million customers; and in May 2013, a daily-deal company announced that information about more than 50 million users may have been accessed in a cyber-attack. Hackers brought down a major bank’s website in March 2013, and a month earlier, a social media platform announced that hackers had accessed the personal information of as many as 250,000 users. These are just a few examples of recent cyber-attacks against major corporations. Security experts now claim that data breaches and cyberattacks are not a matter of ‘‘whether,’’ but of ‘‘when.’’Such attacks cause major headaches for targeted companies,lead to declines in enterprise value, and create significant liability.

As security breaches proliferate, their consequences are becoming increasingly severe. However, a 2012 report by the Carnegie Mellon CyLab, RSA, and Forbes exposes the generally hands-off approach of many corporate boards of directors where cyber threats are concerned. That report found that ‘‘boards still are not undertaking key oversight activities related to cyber risks.’’ Cybersecurity is a highly technical area and not a revenue-generating expenditure, but rather a cost saving one. Nevertheless, a successful cyber-attack can lead to a drop in share price, regulatory action, negative publicity, and possibly personal liability for board members. As Securities and Exchange (‘‘SEC’’) Commissioner Luis A. Aguilar explained in June 2014 remarks to the New York Stock Exchange (‘‘NYSE’’), ‘‘ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.’’ However, only 31 percent of those surveyed for the CyLab report stated that their boards regularly reviewed reports of security breaches.

Originally Published in BNA’s Banking Report, 103 BNKR 458 - August 26, 2014.

Please see full Publication below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BuckleySandler LLP | Attorney Advertising

Written by:


BuckleySandler LLP on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.