Cyber Security Duties of Corporate Directors — Part III
In Cyber Security Duties of Corporate Directors — Part I, we discussed the fiduciary duties of corporate directors. In part II of this article, we will went into regulatory obligations for cyber risk governance as well as taking a proactive approach to cyber security instead of having to react to a catastrophic cyber attack scenario. Now we get into some practical ways to apply cyber risk oversight as a board director.
PRACTICAL ADVICE
The eight components, outlined below, practically illustrate your role in cyber security as a corporate director:
1. Education & Training
o Show due diligence by seeking out specialized training for the board and senior leadership and becoming cyber literate.
2. Documentation
o Maintain records of boardroom discussions on cyber security by documenting them in the board meeting minutes
3. Assessments & Review
o Conduct a complete cyber security assessment to determine compliance with industry standards of cyber security including the following areas:
A. The internal ‘People’ component of cyber security
B. The ‘Process’ component of cyber security
C. The ‘Technology Infrastructure’ component of cyber security
o Review your organizations cyber insurance and D&O insurance coverage and fill all gaps
o Assess the cyber security level of all outside organizations you do business with
4. Roles & Responsibilities
o Regularly consult with in-house counsel, audit committees and risk management committees on cyber security
o Ensure senior management is implementing and monitoring the cyber security program across the entire enterprise
o Ensure that management is reporting back to the board on the effectiveness of the cyber security controls
5. Consultation
o Consult with outside cyber security experts.
o The main role of these advisers is to provide objective perspectives and indicate where the organization is and is not meeting industry standards.
6. Contract Negotiation
o Negotiate terms with third-party partners before a data breach happens
A. Legal Advisers
B. Public Relations Advisers
C. Cyber Forensics Providers
D. Government Organizations
7. Policies & Procedures
o Ensure that your policies and procedures comply with industry standards for data protection including your computer use policy
8. Incident Response & Business Continuity Planning
o Become familiar with your Incident Response Plan
o Regularly test the Incident Response Plan
Your return on investment in cyber security is measured by your continued ability to maintain your competitive advantage. It allows you to expand and flourish when your competition is reeling from loss of customers, brand tarnishing, regulatory fines, lengthy litigation, long-term stress and a massive drain on company resources in the aftermath of a cyber attack. Thoughtful, well-planned cyber security oversight on your part makes for a compelling brand narrative and a good legal defense. It shows you have acted proactively, reasonably and responsibly in your fiduciary duties.
Dominic Vogel,
