The use of cloud computing, mobile devices and social media add significant corporate risks beyond the traditional security risks arising from networks, databases and e-mail. A cyber security breach can cause serious operational disruptions, create financial costs and damage a company’s brand and reputation. As part of risk management, a company’s board of directors should proactively identify, delegate and monitor the security risks presented by networked businesses. Numerous studies have concluded that directors are lagging in anticipating and preparing for cyber security risks. Boards Are Still Clueless About Cybersecurity, Jody Westby, Forbes.com, dated May 16, 2012.
While directors are not expected to become experts in cyber security and are entitled to rely on management and outside experts for guidance and advice in this area, directors owe the company and its shareholders a fiduciary duty of care and a duty to protect corporate assets. Adherence to their good-faith obligation requires directors to establish systems and pay appropriate attention to inside and outside information to ensure that they are able to spot “red flags.”
Red flags are the issue in the second category of cases—those raising questions about when the board should have known that something was going on and taken “extra” action. For example, red-flag situations arise when a single dramatic incident points to a flaw in an internal-control or compliance system or outside of the system. Red flags also arise where concerns occur over a period of time sufficient to raise them to the board’s attention. For more, please refer to Hillary A. Sale, Monitoring Caremark’s Good Faith. Delaware Journal of Corporate Law (DJCL), Vol. 32, No. 3, 2007; U Iowa Legal Studies Research Paper No. 07-32.
For this reason, an increasing number of companies have included their standing audit committee to effectively oversee the risk management activities associated with cyber security policies. Risk & Compliance Journal, Deloitte Insights, dated August 2, 2013.
Even with this responsibility delegated to a subcommittee, directors have an ongoing duty to ensure protections are in place and that cyber security remains a regular inquiry of the board.
There are three distinct aspects of cyber-security that should be addressed by directors: prevention, detection and, if a company is publicly traded, disclosure to the Securities and Exchange Commission. Part I of this article addresses prevention and detection.
Prevention. Directors must determine whether the company is appropriately assessing its risks and devoting adequate resources to the issue of cyber-security.
- Appropriate assessment starts with the following:
- Evaluate the company’s budgeting of cyber-security as compared to peer groups;
- Include cyber-security as part of existing risk management; and
- Delegate cyber-security and data privacy to a standing committee.
- Require periodic updates on technological and industrial developments in cyber-security risk and remedies from the chief information officer
- Require management to prioritize risks, both internal and external, recognizing what is the most sensitive and critical information, where it is located, how it is protected and the potential effects of a security breach.
Detection. Directors should approve a security program under the direct supervision of a C-Level officer with an eye to best practices and standards, and include developing a plan for employee training, disaster recovery, and an internal and external communications plan;
- Approve a contingency and response plan for a cyber-security incident;
- Approve policies for data and security as it relates to employees and third parties; and
- Require an annual review of the company’s cyber security policies and procedures in light of company-level concerns, industry-level concerns and technological developments.
Part II of this article will address disclosure and some questions to consider.