This blog is part of our Board Oversight Series, an interactive collection of resources on Cyber Risk.
As corporate assets become increasingly digital, cybersecurity will remain central to board-level discussions of risk and long-term strategy. Yet, we find that many board members are still uncertain about their duties surrounding cyber risk–particularly as it relates to board liability in the wake of a data breach.
In a recent episode with William Chandler, Former Chancellor of the Delaware Court of Chancery and Partner at Wilson Sonsini Goodrich & Rosati, we discussed the legal standards a board is expected to meet in the course of overseeing cyber risk throughout the organization. We also sat down with Beth George, Of Counsel for Wilson Sonsini Goodrich & Rosati, to further understand what boards can do to better protect themselves and the organization in the case of a cyber incident. We’ve arrived at three suggestions for board members related to cyber risk and board liability:
1. Understand the Board’s Duties Related to Cyber Risk
Directors have basic fiduciary duties of care and loyalty. From these basic duties comes the “duty of oversight” or “monitoring the corporation”, explained Chandler in his recent episode.
“The board’s obligation is to establish a system that will monitor [risk]—whether its legal compliance or potential data security risk,” said Chandler citing the landmark 1996 Delaware Court case, Caremark International Inc. Derivative Litigation, which established a precedent for the board’s risk oversight duties. Once the board has established a system for monitoring cyber risk, it must be able to demonstrate that it’s following its own process and responding to red flags.
In the case of a cyber breach, Chandler explained, that’s the test a judge will use: (1) Has the board created a system to monitor cyber risk? (2) Is the board addressing any deficiencies or weaknesses and responding to them in a timely manner?
“It’s a very high standard to show that a director has breached that duty,” said Chandler, further explaining that it’s one of the most difficult standards under corporate law for a plaintiff shareholder to meet. Yet, if a board doesn’t have a process–or more importantly, a record of that process–in place, then the water gets murky very quickly.
2. Demonstrate that the Company has Prioritized its Greatest Cyber Risks and Structured Protections Accordingly
The board’s job is to ensure that management is overseeing cybersecurity effectively–a duty that’s difficult to fulfill without asking the right questions of management. To mitigate potential liability risk, the board should demonstrate that it understands the greatest cybersecurity risks facing the company, explains Beth George. She outlines several questions that boards should be asking of management before a breach happens:
- What are the company’s top cybersecurity risks?
- Who is ultimately responsible for addressing them?
- Is the company using a standard, like CIS Controls or the NIST Framework, to understand and measure its cybersecurity maturity?
- What resources is the company investing in cybersecurity and where is the company underinvested?
- What is the timeframe for improving cybersecurity weakness and how is the company progressing on that timeline?
“Asking these questions–and exercising judgement and control over the company’s decisions–can help board members demonstrate that they discharged their duties regarding cybersecurity risks in the event of a breach in the future,” said George. Most importantly, it’s the board’s responsibility to document these oversight actions.
I use this old metaphysical story: If a tree falls in the forest, and there’s no one there to hear it, does it make a noise? The corporate law analog to that is: if a board follows an exemplary process but has no record of it, will the judge still respect what the directors did? You don’t want to find out the answer to that.
3. Equal time should be spent on crisis response.
Cyber threat identification and reduction is an important part of the board’s risk oversight duties. However, today’s companies can no longer count on the fact that they’ll be able to prevent a cyberattack. How the organization chooses to respond in the precious hours following a cyber breach often determines the severity of the crisis and its long-term effects.
Furthermore, boards without an incident response plan are more likely to make mistakes following a cyber breach, whether related to disclosure requirements or a poorly-informed spokesperson.
“Many companies have written incident response plans,” said George, “but in the event of a breach, the plan is never referenced.” (More on crisis response planning in our recent post, Before the Breach: 4 Board Lessons in Cyber Breach Preparation).
To be truly effective, a company’s incident response plan needs to reflect the company’s current assets and threats, as well as any regulatory or contractual obligations. But most importantly, it needs to be tested to ensure it reflects the priorities and interest of the company.
The best way to practice those skills is through table-top exercise, explained George. By simulating a crisis, companies can identify weaknesses in their plans and prepare to coordinate across teams that rarely work together.
“Boards should ask management about how often their incident response plan has been updated,” said George. Boards should also ensure management is addressing any weaknesses identified through the simulation.
Cyber risk has introduced many uncertainties into the boardroom; however, today’s directors should feel confident in their ability to establish a risk oversight process and execute a coordinated response.