The Board’s Role in Managing Cybersecurity Risks
Cybersecurity can no longer be the concern of just the IT department. Within organizations, it needs to be everyone’s business — including the board’s.
Today, more than ever, the demands posed by issues of cybersecurity clash with both the need for innovation and the clamor for productivity. Increasingly, cybersecurity risk includes not only the risk of a network data breach but also the risk of the entire enterprise being undermined via business activities that rely on open digital connectivity and accessibility. As a result, learning how to deal with cybersecurity risk is of critical importance to an enterprise, and it must therefore be addressed strategically from the very top. Cybersecurity management can no longer be a concern delegated to the information technology (IT) department. It needs to be everyone’s business — including the board’s.
Cybersecurity Enters the Boardroom
Network breaches have become so routine that only the most spectacular events, such as the recent breach at the credit reporting agency Equifax Inc. that affected some 143 million U.S. consumers, make headlines. Corporate boards of directors are expected to ensure cybersecurity, despite the fact that most boards are unprepared for this role. A 2017-2018 survey by the National Association of Corporate Directors (NACD) found that 58% of corporate board member respondents at public companies believe that cyber-related risk is the most challenging risk they are expected to oversee. The ability of companies to manage this risk has far-reaching implications for stock prices, company reputations, and the professional reputations of directors themselves. For example, following a 2013 data breach of Target Corp., in which the personal information of more than 60 million customers was stolen, a shareholder lawsuit charged directors and officers with having fallen short in their fiduciary duties by failing to maintain adequate controls to ensure the security of data. Although the board members were ultimately not found to be at fault, both the company’s CEO and CIO resigned.
U.S. case law is based on and generally adheres to the “business judgment rule,” which sets a high bar for plaintiffs pursuing legal action against board members. Similar protections for directors are in place in most “common law” countries, including Canada, England, and Australia. The Equifax cyberattack and future corporate breaches may prompt more challenges to the business judgment rule.
The view that directors are not sufficiently prepared to deal with cybersecurity risk has raised alarm bells in boardrooms nationwide and globally. Even as companies increase their investments in security, we are seeing more — and more serious — cyberattacks.