From the Server Room to the Board Room: D&O and Cybersecurity Emerging Trends

by Reed Smith

With breaches of nearly 150 million Americans’ personal information flooding the news the last few weeks, followed by the filing of more than 50 class action lawsuits to date, and the announcement of an FTC investigation, cybersecurity is squarely on the minds of and on the table in boardrooms across the country. On September 14, 2017, Reed Smith was pleased to host Dawn-Marie Hutchinson, Executive Director with Optiv’s Office of the Chief Information Security Officer, to talk about the latest trends in information security and to support boards in this important emerging area. Coming out of the webinar, one of the most important questions that came up was not so much “What should boards do?” but what are boards actually doing, and how boards and executives can benchmark.

Importantly, this is an issue that has been closely monitored by and extensively analyzed by the National Association of Corporate Directors (“NACD”). Not only has the group surveyed directors, but it has also written a handbook with extensive guidance for officers and directors. The guidance comes at a very critical time as the market has been flooded with white papers and other guidance for information security pros and CIOs on how to talk to boards about cybersecurity risk. At the same time, boards are asking among themselves and their advisers, what they should do or be doing. The NACD identified five things it believes boards should be doing. These activities include:

  1. Consider the Whole Enterprise. Cybersecurity is more than just an IT issue, and it should be approached holistically, including with respect to people, process and technology.
  2. Know the Law. Boards should be familiar with their own legal obligations and duties, AND those of the organization and business they are tasked with overseeing.
  3. Access Expertise. Both the quantity and the quality of the board’s discussions relating to cybersecurity matter. In addition to appropriate time and discussion at meetings, the board, as with other areas, can and should have access to experts to help inform their decision-making and oversight.
  4. Set Expectations. Many surveys suggest that while executive teams say cybersecurity is important, senior managers, a few levels down in the organization, may hear different messages. Board leadership and interest can help align and create the right tone and accountability.
  5. Manage Risks. Ultimately, the board can help ensure that risks are managed with intentionality. The board is in a unique position to identify, avoid, mitigate, transfer or accept risks, and to provide advice on the right mix of each of these strategies, including identifying and guiding the organization’s tolerance for risk.

So, what are boards actually doing and how are they approaching these issues? While “Big Picture” risks are considered at the full board level in 96 percent of NACD’s responding boards, only 46 percent of those responding identified cyber risk as an issue that is discussed among the full board. Rather, 51 percent of boards focus on cybersecurity risks at the Audit Committee level. Increasingly, boards have come under some scrutiny for and are looking to strengthen both technology and risk expertise. At the same time, the NACD’s guidance makes no specific recommendation that boards have cybersecurity expertise, and rather suggests that the board itself is best equipped to use its business judgment to determine the competencies its members require.

Knowing the law is increasingly important. Consumer class actions and cybersecurity-related shareholder derivative suits alleging that directors have breached their fiduciary duties are growing rapidly, and Bloomberg has reported that the trend increasingly resembles the stock-drop strike suit environment that led to Congress passing the Private Securities Litigation Reform Act. The Chamber of Commerce reports that four law firms are responsible for virtually all of the privacy and cybersecurity-related lawsuits. Most of these cases tend to be dismissed because of the difficulty in showing that the board failed to meet the required standard of care, as boards will frequently be protected by what is known as the “business judgment rule.” The dismissal of a suit brought against Home Depot represents a good example of the type of suits and challenges facing shareholders bringing claims alleging the board failed in its’ duties.

In order to protect itself and get the benefit of the business judgment rule, boards are accessing expertise, setting expectations, and proactively managing risks—the remaining suggestions of the NACD. According to the NACD, 77 percent of boards have reviewed their company’s current approach to protecting its most critical data assets. 31 percent have received education on the issues. 59 percent have reviewed the company’s incident response plan.  These and other activities can be very helpful, not only in obtaining dismissal of lawsuits alleging the board failed in its duties, but also in avoiding such lawsuits altogether. Strikingly, only 31 percent of boards have leveraged external advisers to help them understand the risk environment. This is interesting because reliance solely on internal resources and risk may limit board visibility into broader trends, governance considerations and obscure real risks. For example, a number of investors with expertise in cybersecurity have been critical of organizations where, assuming there is a chief information security officer (or equivalent), that person reports to the CIO. In the words of one CISO,

“the job of the CISO is to tell the CIO their baby is ugly and no one wants to hear their baby is ugly.”

In addition to challenges of speaking truth to power, aligning departmental motivations with broader risk management considerations can be difficult without an enterprise-wide approach to the issues. Technology budgets may be large, but obtaining resources for people and processes may be difficult. This is especially true where negative unemployment persists for security experts. All of this combines to create opportunities for perfect storms.

In thinking through these issues, learning which questions to ask, asking them, and then ensuring that actions and accountability flow from the answers, will continue to be critically important for boards. The NACD expects that in the relatively near future, 100 percent of boards will have to address cybersecurity issues. The NACD’s handbook for boards includes helpful guidance and supporting information. It includes recent analysis and guidance relating to evaluating and supporting mergers and acquisitions – an increasingly important risk area for many companies.

In thinking about cybersecurity risk management and intentionality, Gerry Stegmaier, partner in Reed Smith’s IP, Tech & Data Group, who formerly defended SEC and securities class actions cases, summed up an approach when he said,

You can’t stop security incidents. But, you can manage risk intentionally. Just like zebras crossing crocodile-infested waters, organizations can understand that they don’t need to go first, go last, and shouldn’t be small, but, just like zebras, they must cross.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Reed Smith | Attorney Advertising

Written by:

Reed Smith

Reed Smith on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.