Corporate boards will face the spotlight in cybersecurity incidents
The board will be closely watched in the face of a cyberattack or data breach.
In my last article, I noted that corporate boards, especially those of public companies, are facing increased scrutiny and liability exposure in relation to cybersecurity and data privacy. While companies continue to gather and store large amounts of data, they are also more and more likely to be subject to a damaging cyberattack or data breach. The actions and composition of boards will be closely watched in the court of public opinion as well as by the courts themselves and by lawmakers.
The impact of a data breach should not be underestimated. A breach can lead to regulatory investigations by a number of agencies, including the Federal Bureau of Investigation, Secret Service, Immigration and Customs Enforcement as well as through enforcement actions by regulators including State Attorneys General, the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC), among many others.
Companies also face a potential loss of intellectual property and trade secrets as well as litigation brought by harmed customers, business partners, or shareholders. Major reputational damage and loss of investor confidence can also occur, often accompanied by decreased stock price. Furthermore, a breach can cause organizational leadership to be refocused, taking away from the operations of the business. The board, therefore, will need to be careful to take practical step to ensure proper oversight over how their organization manages cyber threats.
How knowledgeable does a board need to be?
Boards are charged with risk oversight. Because cybersecurity issues are complex and technical, it is common for directors to express anxiety regarding whether the board has sufficient expertise and is informed enough to serve its risk oversight function in this area. Directors often rely on company senior management to educate directors on cybersecurity issues. To ensure the board has a broad, unbiased view of the cybersecurity risks it should be evaluating, directors should assess when the board could benefit from independent briefings on cybersecurity risk rather than relying solely on the officers who report to them.
Greater scrutiny over whether the board has such experience is evidenced by legislation re-introduced in Congress last year. The bipartisan Cybersecurity Disclosure Act of 2017-18 (S.536) would require publicly traded companies to disclose the cybersecurity expertise of any members of the board or general partner and, if the board does not have such expertise, disclose the measures they have taken to identify and nominate future nominees to the board. While the bill was first introduced in 2015, given the recent highly-publicized cybersecurity incidents at public companies, there is more momentum now than ever before. Even assuming the bill does not pass, the legislation emphasizes the likelihood that the SEC could likely consider board cybersecurity expertise a when evaluating whether a registered entity has a sufficient cyber risk management program.
Apart from non-binding guidance for boards to have cyber expertise, the “business judgement rule” applies to decisions that the board makes, including regarding oversight of cybersecurity issues. In general, so long as a board meets the standards of care, duty, and loyalty the business judgement rule generally shields boards from liability from shareholder lawsuits (including following massive security incidents). Directors must follow the same business judgment principles that they use for evaluating all other company risks, such as those associated with corporate strategy and performance. These standards require that directors do more than simply understand that threats exist and passively receive reports from an audit committee or internal company management.
How should boards educate themselves about cybersecurity risks?
While the entire board is responsible for risk oversight generally, more than half of boards delegate responsibility for overseeing cybersecurity risk oversight solely to a compliance or audit committee. To demonstrate a commitment to cybersecurity, and to ensure that the subject is given proper attention, the board should consider including cybersecurity on its agenda at full board meetings as frequently as necessary based on the level of risk the company faces from data-related attacks, and as specific incidents and situations warrant. Boards should give serious consideration to whether to include cybersecurity in discussions regarding new business plans, mergers and acquisitions, new-market entry, and other significant decisions impacting the health and direction of the company. The board minutes should reflect the occasions when cybersecurity is discussed.
Regardless of whether the board, an audit committee, or management is responsible, the obligation to monitor, assess, and respond to cyber risk should be clearly defined. The Chief Information Security Officer (or similar position) should have sufficient budget authority, staff resources and independence in order to operate effectively. Whether or not a CISO exists, the board could consider whether the head of cybersecurity should directly report to a senior C-level officer instead of a manager one or more levels down the chain. Relying on the Chief Executive Officer to update the board on cyber risk may not be enough. A recent report by the Financial Services Information Sharing & Analysis Center (IS-ISAC) found that only 8 percent of cybersecurity heads at U.S. financial institutions report directly to their CEO.
The results of cyber risk monitoring need to be reported to the board appropriately. Committee briefings regarding cybersecurity programs, risks, and updates should occur regularly.
How should cyber risk be reported to the board?
The ongoing findings provided by management to the board should inform the Directors about the type and degree of the company’s cybersecurity vulnerabilities. According to the NACD 2017 edition of “Directors Handbook on Cyber-Risk Oversight,” a risk report should include capabilities i.e., successes (including IT risk management and third-party security) as well as key risks, a corresponding risk level, related findings, and trends. These indictors should show patterns over time, indicate actual and potential impact on business operations and cost, and benchmark next to peers (to the extent possible). Above all, it is recommended that the metrics provided enable frank discussion, analysis and dialogue, which requires a proper understanding of the issues at play.
While the board need not know about every single incident, companies’ incident response or similar policies should include factors that can be analyzed to determine their severity and when escalation to the board is appropriate. A company cannot learn from and respond to criminal breaches if the board is not properly informed about aggregated information about attacks. The median number of days an organization is compromised before discovering a cyber breach is 146, and less than half are discovered internally, as opposed to by third parties or law enforcement.
To appropriately assess the successes and shortcomings of the company’s cybersecurity program, the board must be informed of aggregate information about successes, i.e., incidents that were blocked. Armed with this knowledge, the board can more appropriately make risk tolerance and business decisions about how to allocate resources for cybersecurity. Increased cybersecurity measures may also result in improvement in business efficacy, and avoiding breaches can save companies a great deal of money.
Armed with the knowledge of the organization’s cyber risk, the board – especially for data-centric companies that hold consumer data – should engage management regularly about the company’s most critical data assets, where they reside, how they are accessed, who has permission to access them, and how and how often those systems are tested to ensure they are adequately protected. They should ensure that adequate policies, including crisis preparedness, are in place; that appropriate budgets are allocated to IT security, which also includes funds for staff training and information dissemination within departments and throughout the organization; that proper experts and outside counsel are hired; and that the company has appropriate cyber skill in IT.
How should boards disclose these risks?
The SEC released updated guidance on cybersecurity disclosure for public companies on February 21, 2018.
The SEC listed cybersecurity as a top concern beginning back in 2014. In recent years, the Commission explicitly argued that a public failure of public companies to take disclosure obligations seriously would result in enforcement action. SEC disclosure guidance requires a company to determine disclosure obligations based on the “potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and the impact of the incident on the company’s operations.” Other disclosure obligations include any pending or threatened legal proceedings as well as insurance coverage, the effectiveness of current controls and procedures, as well as a number of points on financial statement disclosures including prevention cost.
One of the focuses of the February 21, 2018 update was on the role of the boards. The new guidance notes that a company must include a description of how the board administers its risk oversight function to allow inventors to assess how the risk oversight function in this area is being discharged. The board should review Company disclosure procedures to ensure that they are properly managed. The guidance goes on to emphasize requirements concerning timely data breach disclosures to investors.
The guidance also subtly points to the potential of civil lawsuits if transparency is not forthcoming. Shareholder derivate suits are increasing used by investors after data breaches. These are often based on claims alleging breach of fiduciary duties, mismanagement and material omissions. This can be seen in recent shareholder lawsuits against Wyndham and Target, among others.
Apart from the SEC guidance, there are a plethora of other cybersecurity-related regulations and industry standards that boards should also be aware of. This includes the Health Insurance Portability and Accountability Act (for health insurers and providers and their partners), the NY Department of Financial Services Cybersecurity Regulation (for financial institutions and insurance companies licensed in NY), incoming requirements under the EU General Data Protection Regulation, which applies to almost every organization that collects even the first and last name of EU persons, a flood of new state laws requiring businesses to implement cybersecurity programs to protect personal information, among many others.
The role of boards in cybersecurity risk mitigation and public company disclosures is therefore very much in the limelight and more important than ever. Given how business critical cybersecurity has become, the board will need to carefully consider its role, responsibilities and expertise or education going forward.
This article is published as part of the IDG Contributor Network. Want to Join?
Tara Swaminatha is a data privacy and cybersecurity partner at Squire Patton Boggs in Washington, D.C., and was previously a federal prosecutor in the Computer Crime & Intellectual Property Section at the U.S. Department of Justice. She is recognized as a Cybersecurity Trailblazer and ranked as a Next Generation Lawyer on cybercrime.