Alert: FTC Expects Board-Level Cybersecurity Oversight

Cooley LLP

Federal Trade Commission (FTC) staff published a blog post that highlights increased cybersecurity threats and emphasizes the key role corporate boards play in a successful cybersecurity program: “Corporate boards: don’t underestimate your role in data security oversight.” Boards that are not actively considering cybersecurity risks should take notice.

The FTC’s post contains five recommendations:

1. Make data security a priority.

Boards are ultimately responsible for data security. According to the FTC, “data security begins with the Board of Directors, not the IT Department.” Boards should set high expectations regarding data security, build a team of stakeholders from throughout the organization, establish formal board-level oversight and hold regular security briefings. While there is no one-size-fits-all approach, a board-level cybersecurity committee or subcommittee can be an effective way to foster board engagement.

2. Understand your company’s cybersecurity risks.

Board members should demonstrate a sophisticated grasp of the data security challenges their organization faces. While a board does not need to manage day-to-day operational security of the company, they should set priorities and allocate appropriate resources to manage cybersecurity risks. Board members should be in active dialogue with cybersecurity leaders within the organization (again, this can occur via a board cybersecurity committee or subcommittee).

3. Don’t confuse legal compliance with effective cybersecurity.

To have an effective cybersecurity program, boards cannot view cybersecurity as a formulaic, check-the-box exercise. Cybersecurity threats are quickly evolving, and every company’s risk profile is unique. Boards should have regular, in-depth conversations about the adequacy of their company’s cybersecurity policies and procedures.

4. Preparation is key.

Even the best preventative measures sometimes fail – indeed, boards should probably assume that they will fail. It is critical for boards to ensure the company invests in robust incident response plans with clear escalation guidelines, including board notification where appropriate. It is increasingly difficult to prevent and respond to security incidents. When one occurs, every minute counts.

5. Learn from mistakes.

Boards should not only learn from their own cybersecurity challenges but also analyze challenges faced by competitor organizations. Industries can face similar vulnerabilities, and this review may lead to the discovery of latent, undetected incidents or potential incidents. Periodic, independent third-party assessments are an effective way to track progress and identify risks. Third party assessors are often essential partners in preventing and responding to a cyberattack.

Board engagement with cybersecurity issues does not occur in a vacuum. The risks to company and customer data are real, and in the event of a breach, regulatory enforcement is a distinct possibility. FTC challenges to allegedly deceptive or unfair data security practices led to recent settlements with SkyMed International and Tapplock. In its complaint against SkyMed, the FTC alleged the company failed to take reasonable steps to secure sensitive consumer information by, among other practices, not securing databases with customer information and failing to assess risks through network monitoring and penetration testing. In its complaint against Tapplock, the FTC alleged the company failed to take reasonable precautions such as implementing written data security standards, policies, procedures or practices, or implementing adequate privacy and security guidance or training for relevant employees.

In addition to tracking Securities and Exchange Commission (SEC) guidance on cybersecurity risks, boards should take notice and incorporate the FTC’s guidance and lessons learned from recent FTC settlements into their cybersecurity committees or other oversight mechanisms.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.