Cybersecurity is a recurring and critical board agenda item for good reason. Related reputational, regulatory, and business impact risks—all of which are likely to have economic consequences, potentially resulting in regulatory fines, lawsuits, and decreasing stock prices—are just a few key concerns for companies and their leaders. The failure of an organization and its board to fulfill their cybersecurity responsibilities can even create existential risk.
Given the global business environment, the interconnectedness of today’s technology, and corresponding cyber threats, it is vital that boards keep current on news cycle headlines, trending cyber risks, and global regulatory cybersecurity requirements, expectations, and best practices.
Director responsibilities with regard to cybersecurity oversight stem from a general obligation or fiduciary duty of care to oversee risk and, in many cases, are more specifically prescribed by regulatory requirements, strong recommendations, and expectations. Below are examples of such global regulatory responsibilities required by regulatory or law-making bodies in the respective countries in which companies do business.
The boards of certain organizations are required to approve information security or cybersecurity policies in a variety of jurisdictions around the world, including for financial services companies in the United States, Bermuda, Israel, Malaysia, and India. The board is also required to be the point of escalation for material cybersecurity risk, data breaches, or incident responses in those same jurisdictions.
In the United Kingdom, a director has a duty to exercise reasonable care, skill, and diligence in the conduct of their role, including for cybersecurity.
In Denmark, board members at insurance companies are required to complete a basic course on cybersecurity no later than 12 months after joining a board.
In Singapore, the board is expected to be regularly apprised of salient cyber-risk developments so as to equip itself with the requisite knowledge to competently exercise its oversight function.
In Australia, the board is responsible for ensuring that the entity it serves maintains its information security practices and for maintaining information security in a manner commensurate with the size and extent of threats to its information assets.
The Perils of Responsibilities Unfulfilled
A failure of the board to properly understand and effectively mitigate cyber risks that results in a cyber incident or damage to the company (reputational or otherwise) may amount to a breach of director duties, exposing directors to personal liability in certain jurisdictions such as the United Arab Emirates, Argentina, Malaysia, and Israel.
Under Europe’s General Data Protection Regulation (GDPR), companies have an obligation to reasonably safeguard data whether in electronic or paper form. Violations of this requirement due to a cyber incident or other factors can result in fines of up to 20 million euros or four percent of a company’s total worldwide annual turnover from the preceding financial year. The GDPR imposes fines for noncompliance only on legal entities, not individual managers. However, based on German procedural laws implementing GDPR locally, the fine is imposed on responsible individuals, which can include a corporate director, rather than the legal entity.
In France and Singapore, criminal sanctions of up to five and two years of imprisonment, respectively, may be applied against an individual responsible, including a corporate director.
Board Best Practices
The board plays an important role in helping the company it serves balance and oversee security risk appetite, risk mitigation strategy, and strategic business objectives.
To avoid the perils of unfulfilled director responsibilities in relation to cybersecurity oversight, the board should consider the following tips:
Formally approve on an annual basis and in documented minutes the company’s information security program, including policy.
Try to recruit a cyber expert to the board in line with the US Securities and Exchange Commission’s suggestions from its guidance around cybersecurity disclosures.
Require regular (ideally quarterly at a minimum) reporting from management on cybersecurity and information security material risks and events, and how the leadership team is implementing the strategy for management of those risks and the treatment of those events.
Designate a board committee that will be responsible for regular oversight of cybersecurity activities (unless it is determined that cybersecurity will remain a full-board issue).
Stay current on the regulatory security landscape and your company’s compliance status and strategic approach with at least an annual briefing from internal legal counsel.
Understand what the company’s cyber insurance covers (e.g. does it include fines and penalties?).
Periodically practice the company’s documented incident response plan.
Understand the company’s plans for expanding or contracting business operations in geographic regions that are considered nation-state adversaries or otherwise present cybersecurity legal or operational high-risk challenges.
Ask about the company’s current and planned cybersecurity resources in an effort to ensure that the company is adequately staffed from numbers and expertise perspectives.
Require periodic updates from the company’s internal audit group on cybersecurity audit material findings and cyber program effectiveness.
Lucy Fato is executive vice president, general counsel, and global head of communications and government affairs of AIG and Nubiaa Shabaka is chief cybersecurity and privacy legal officer and associate general counsel of AIG.
NACD: Tools and resources to help guide you in unpredictable times.