Board of Directors Cybersecurity Responsibility

A recent article in the Wall Street Journal, "Cyber Leaders Struggle With Heightened Job Expectations, Communicating With Board", highlights the evolving nature of the relationship between directors, management and cybersecurity leaders.

The responsibility of any board includes understanding the risks faced by the organization and ensuring that an effective strategy is in place to minimize the business impacts of those risks. This is not a new responsibility; however, the complexities and dynamic threat environment has caused many board members to be uncertain about their approach and responsibilities relative to cyber.

Director Responsibilities and Liability

If the organization experiences a significant cyber event, the board's actions related to cyber security and risk management will be scrutinized via regulatory or civil investigations. To date, successful shareholder lawsuits against directors for failure to properly address cyber risks have been limited and various landmark cases have set a high bar for material liability ("Chancery Court Addresses Board Responsibility Under Caremark for Cybersecurity Risk.") Nevertheless, courts have consistently identified cyber risk as a key board responsibility and continue to hear cases, forcing boards to defend their actions or lack thereof. Directors should look to their Directors & Officers Liability (D&O) insurance program to respond to any investigation or claim against them personally in the event of a cyber event. In order to directly protect the directors and officers of a company in the event of cyber incidents, it is critical to ensure that a company’s D&O policy will respond in the event of a regulatory investigation and/or litigation alleging traditional claims for breach of fiduciary duties relating to a cyber event or data breach. ("Marsh: Understanding Cyber Directors & Officers Liability Risks and Buying Insurance.")

Board Cyber Approach

The fundamental responsibility of the board is to ensure a cyber program is in-place that appropriately addresses the organization's cyber risk. To ensure this exists, the board must be able to answer these basic questions:

1. Is there a documented cyber security program that defines management roles and responsibilities related to cyber and information technology risks?

2. Is there a documented business impact assessment that defines cyber and information technology risks in financial terms?

3. Has a third-party assessment of the organization's information technology controls been conducted against a recognized framework (ex. AICPA Service Organization Control Type 2)?

4. Are third-party penetration and vulnerability scans conducted and are items requiring remediation appropriately addressed?

5. Does the board regularly receive status updates regarding cyber and information technology activities and risks, and are they reviewed at meetings with management?

6. Is cyber and information technology risk part of the board's risk management committee's oversight?

7. Is the board informed about regulatory and compliance developments that are applicable to the organization?

8. Is the board informed about the organization's cyber posture relative to industry peers?

9. Does the organization have appropriate insurance programs in-place to cover cyber related losses?

10. Has the organization invested in cyber and technology resilience via advanced back-up and recovery capabilities and are the capabilities tested on a consistent basis?

If board members can answer the above, they are well positioned not only to ensure the company is effectively managing cyber risk, but to also defend their actions during an investigation.