[BreachExchange] Breaches and the Boardroom: How Directors Can Avoid Liability for Data Breaches

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 9 21:00:33 EDT 2018


https://www.jdsupra.com/legalnews/breaches-and-the-boardroom-how-34251/

“Where was the Board?” is asked every time a major hacking causes yet
another data breach. Data breaches and ransomware attacks occur every day,
with massive impacts on companies’ finances, market value, and reputation.
In fact, cyberattacks are estimated to cost companies between $400-500
billion a year. Long gone are the days of assuming that cybersecurity could
be addressed only by the CIO, CISO, or the IT department. Just as boards
oversee their company’s CFO and financial functions through the audit
committee, boards must now oversee their company’s cybersecurity, as is
becoming increasingly clear to board members. Nearly 90 percent of
respondents in a National Association of Corporate Directors survey (NACD)
reported that their boards discuss cybersecurity on a regular basis.
However, a mere 14 percent of those same directors believe that their
boards have a high level knowledge of cybersecurity risks.

This is problematic because cybersecurity is now a key function of boards,
and boards can face direct legal liability when data breaches occur in the
form of shareholder derivative suits. Not only can these suits be expensive
and distracting to litigate, even the threat of such a suit is expensive
and distracting to investigate. Investigations can last months, if not
years, and cost millions of dollars in experts, outside counsel, and
document review. Indeed, the SEC has also made clear that it too is
concerned with board oversight of cybersecurity risks and seems to be
establishing the groundwork for enforcement actions in this area. In
February 2018, the SEC released the “Commission Statement and Guidance on
Public Company Cybersecurity Disclosures”, which stated that publicly
traded companies with cybersecurity risks that are material to a company’s
business (a category that may well cover all public companies) must
disclose the nature of the board’s role in overseeing and managing that
risk.

Thus, boards must protect their companies and themselves by thinking
through and documenting their cybersecurity oversight in advance of a
breach. For most boards, the NACD provides a good framework for how to
address cybersecurity oversight.

- First, directors must view cybersecurity as a company-wide risk
management issue, not just an IT issue. For this reason, cyber risk
management should be given regular time on board agendas. It is important
that directors understand the specific legal and financial implications of
cyber risks as they relate to their company’s particular circumstances.
- Boards also need access to cybersecurity expertise on a consistent basis
– often by seeking their own legal and technical advisors.
- Directors should give management adequate staffing and budgets to address
cybersecurity issues and maintain a robust cybersecurity framework. Of
course, boards will have to make choices about which risks to avoid,
accept, mitigate, or insure because it is impossible to avoid cyber risk
altogether. Thinking this issue through carefully – and documenting why the
decisions were made – is key to demonstrating that a board is meeting its
cybersecurity oversight responsibilities.

Cybersecurity may be a new problem, but its solution is subject to Benjamin
Franklin’s ageless advice – an ounce of prevention is worth a pound of cure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180409/0ed11045/attachment.html>


More information about the BreachExchange mailing list