Data breaches and ransomware attacks are increasing every day and often have a huge impact on a company’s finances, market value and reputation. In fact, a 2016 Forbes article indicated that cyber attacks cost companies $400 to $500 billion a year. For this reason, it is now widely accepted that boards of directors must take responsibility for their companies’ cybersecurity. Gone are the days of passing the cybersecurity buck solely to the CISO, CIO or the IT department.
Cybersecurity has become a board-level problem. Indeed, nearly 90 percent of respondents in a National Association of Corporate Directors (NACD) survey reported that their boards discuss cybersecurity on a regular basis. However, this level of board engagement may conceal how ill-prepared many boards are to address this issue. A mere 14 percent of those same directors believe that their boards have high-level knowledge of cybersecurity risks. This is extremely problematic because the risks to companys and boards of major cyber attacks are growing.
Putting aside for the moment the direct risk to a company from a successful hacking, boards face significant indirect legal risks. For example, public company boards are under increasing pressure from the SEC to oversee cyber risks. As an example, in February 2018, the SEC released the “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” which stated that publicly traded companies with cybersecurity risks that are material to a company’s business (a category that may well cover all public companies) must disclose the nature of the board’s role in overseeing and managing that risk. In addition to potential SEC action, boards have also faced direct legal liability when data breaches occur, in the form of shareholder derivative suits. When shareholders threaten suit, boards spend considerable time and resources investigating shareholder demands, even if shareholder litigation does not prove successful. These investigations can last months, if not years, and cost hundreds of thousands of dollars in experts, outside counsel and document review, as seen in the Target and Home Depot cases. On top of these fees may come the cost of settling the lawsuits, which can also run into the millions of dollars.
“Cybersecurity cannot become a board issue for the first time after a breach occurs.”
So What Should Boards Do?
Directors need to prioritize cybersecurity as a regular fixture on the board meeting agenda. An example of this is the Wyndham case. Between 2008 and 2010, hackers breached Wyndham’s main network three times to collect sensitive customer data. In 2013, a shareholder brought a demand for investigation against Wyndham’s corporate board of directors, demanding that Wyndham investigate the breaches and rethink its cybersecurity protocols. At the time of the demand, the board had already been discussing the data breaches and Wyndham’s cybersecurity framework on a regular basis for years. Thus the Wyndham board decided to ignore the shareholder’s demand for an investigation. The shareholder filed suit, claiming that the Wyndham board’s decision was unreasonable. The court sided with the Wyndham board and granted its motion to dismiss. The court held that the Wyndham board’s regular discussions of the data breaches and of the company’s cybersecurity protocols in general demonstrated that the board had a firm grasp on the plaintiff’s demand when it decided to reject it.
Thus there is a significant legal importance to board involvement in cybersecurity discussions. Luckily for boards and counsel alike, NACD has issued a Director’s Handbook with five key takeaways:
- Directors should view cybersecurity as a company-wide risk management issue, not just an IT issue. Given the personal liability that data breaches cause for directors, directors would be wise to stay abreast of their companies’ cybersecurity protocols.
- Directors should understand the specific legal implications of cyber risks as they relate to their company’s specific circumstances. Is the company public? Does the company perform work overseas? All these factors can impact the legal implications that cyber attacks may have on a company.
- Boards should have adequate access to cybersecurity expertise and discussions about cyber risk management should be given regular and adequate time on board meeting agendas. Not only will this help directors stay apprised of cybersecurity developments but as seen in the Wyndham case, courts look favorably upon a board that discusses cybersecurity issues on a regular basis.
- Directors should set the expectation that management will establish an enterprise-wide management framework with adequate staffing and budget.
- Board management discussions about cyber risk should include identification of which risks to avoid, accept, or mitigate/transfer through insurance. Unfortunately, it is nearly impossible for boards to avoid cyber risk altogether; it’s best to identify the company’s priorities.
Finally, boards should consider asking counsel to brief them about the requirements that apply to the company and engage counsel to help the board assess the company’s cybersecurity protocols on a regular basis. The importance of outside advice cannot be overstated. Studies routinely find that a majority of IT staff do not report cybersecurity risks until they are urgent (and more difficult to mitigate) and that IT staff routinely try to filter out negative results when reporting cybersecurity risks to companies. Boards need to take this responsibility seriously. Cybersecurity cannot become a board issue for the first time after a breach occurs.