“Where was the Board?” is asked every time a major hacking causes yet another data breach. Data breaches and ransomware attacks occur every day, with massive impacts on companies’ finances, market value, and reputation. In fact, cyberattacks are estimated to cost companies between $400-500 billion a year. Long gone are the days of assuming that cybersecurity could be addressed only by the CIO, CISO, or the IT department. Just as boards oversee their company’s CFO and financial functions through the audit committee, boards must now oversee their company’s cybersecurity, as is becoming increasingly clear to board members. Nearly 90 percent of respondents in a National Association of Corporate Directors survey (NACD) reported that their boards discuss cybersecurity on a regular basis. However, a mere 14 percent of those same directors believe that their boards have a high level knowledge of cybersecurity risks.
This is problematic because cybersecurity is now a key function of boards, and boards can face direct legal liability when data breaches occur in the form of shareholder derivative suits. Not only can these suits be expensive and distracting to litigate, even the threat of such a suit is expensive and distracting to investigate. Investigations can last months, if not years, and cost millions of dollars in experts, outside counsel, and document review. Indeed, the SEC has also made clear that it too is concerned with board oversight of cybersecurity risks and seems to be establishing the groundwork for enforcement actions in this area. In February 2018, the SEC released the “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, which stated that publicly traded companies with cybersecurity risks that are material to a company’s business (a category that may well cover all public companies) must disclose the nature of the board’s role in overseeing and managing that risk.
Thus, boards must protect their companies and themselves by thinking through and documenting their cybersecurity oversight in advance of a breach. For most boards, the NACD provides a good framework for how to address cybersecurity oversight.
-
First, directors must view cybersecurity as a company-wide risk management issue, not just an IT issue. For this reason, cyber risk management should be given regular time on board agendas. It is important that directors understand the specific legal and financial implications of cyber risks as they relate to their company’s particular circumstances.
-
Boards also need access to cybersecurity expertise on a consistent basis – often by seeking their own legal and technical advisors.
-
Directors should give management adequate staffing and budgets to address cybersecurity issues and maintain a robust cybersecurity framework. Of course, boards will have to make choices about which risks to avoid, accept, mitigate, or insure because it is impossible to avoid cyber risk altogether. Thinking this issue through carefully – and documenting why the decisions were made – is key to demonstrating that a board is meeting its cybersecurity oversight responsibilities.
Cybersecurity may be a new problem, but its solution is subject to Benjamin Franklin’s ageless advice – an ounce of prevention is worth a pound of cure.
