Cyber Security Duties of Corporate Directors — Part I
The topic of Cyber Security Leadership is so broad, we cannot hope to cover it in one short article. As corporate directors and officers, you are held to a higher standard of care than all other employees within your corporation. In the event of a cyber attack, particularly a high-profile data breach, you go from being the victim of a crime to being the recipient of customer and shareholder scrutiny and becoming a target of litigation and regulatory fines. Essentially, you are being attacked by organized crime on one side and attacked by plaintiff lawyers on the other. Truly, this is not an enviable position to be in and we are doing everything in our power to prevent this from happening to you. In the event that you are a victim of a cyber breach of this magnitude, we want to help you be as prepared as humanly possible so that the impact of the consequences is minimized and the results are not catastrophic. The intent of this article is to outline a way of thinking and provide an overview of categories to consider with practical actions you can take.
CYBER SECURITY FIDUCIARY DUTY
The corporate board of directors has the ultimate responsibility for cyber security. Cyber security is not just an IT issue — It is a core, enterprise risk issue which falls under your fiduciary duties as a board member. In your duty of care, you must use good business judgement in all aspects of business operations. This means acting in good faith, in the best interests of the corporation, on an informed basis and not wastefully or in your own self-interest. This sets the stage for the Business Judgement Rule. The Business Judgement Rule works in favor corporate board directors when they come under legal attack for decisions that result in harm to the corporation. As long as these business decisions do not involve “direct self-interest or self-dealing, corporate directors act on an informed basis, in good faith, and in the honest belief that their actions are in the corporation’s best interest (Wikipedia link),” the Business Judgement Rule applies.
Cyber risk management must be given a proper allocation of your time, attention and corporate resources. It is your job to ensure management is setting the cultural tone for the organization which includes cyber security awareness. Cyber risk must be integrated into your organization’s Enterprise Risk Management Framework. As with each category of Enterprise Risk (Operational Risk, Environmental Risk, Health & Safety Risk, Project Risk, Strategic Risk etc.), clear communication and reporting is critical to maximize leadership’s line of sight into the subject. The board, senior management, business unit leaders, IT, HR, committee leaders and third-party service providers must all be on the same page concerning the level of detail, the frequency and the format of cyber security reports you require. Concerning third-party vendors and partners, the importance of understanding their security posture cannot be underestimated. Smaller companies are a gateway into mid-sized and larger companies for cyber criminals — a pattern we have seen repeated in multiple high-profile cyber attacks in recent years.
When it comes to handling critical, sensitive digital assets, a director must show reasonableness in protecting sensitive data in their care. Directors must proactively ensure that an effective cyber security program is in place and that they are prepared to handle a data breach, should one occur. Taking these critical precautions demonstrates that the board acted with reasonable care and in good faith, which will form a more solid legal defense for litigation against the organization and the board directors themselves. Conversely, if plaintiff opposition can, in any way, prove that the board failed to exercise cyber security oversight either by not putting proper control systems in place or neglecting to monitor the system and/or to act on warnings, your chances of success in the courtroom are significantly diminished.
In part II of this article, we will go into regulatory obligations for cyber risk governance as well as taking a proactive approach to cyber security instead of having to react to a catastrophic cyber attack scenario.