Cybersecurity is one of the highest priority issues for public company executives and directors, as cyber breaches can pose a material threat to, and have significant consequences for, a company. Recent heightened attention by regulators, including the Securities and Exchange Commission (SEC), in light of cybersecurity incidents at major companies makes clear that cybersecurity is not merely an IT issue, but is an integral component of a company's broader enterprise-wide risk management structure, necessitating board oversight of cybersecurity risk.
A company's attention to cybersecurity should extend well beyond regulatory compliance. In today's global business environment, ensuring the security of corporate networks and sensitive data is an important business driver, and therefore an important component of financial growth and value. Investors, customers, business partners and regulators are all paying close attention to cybersecurity risks and programs to address and mitigate these risks. Cybersecurity can also figure prominently in the success of business combination transactions. Companies must consider the risk profile and security protocols of any possible acquisition target, and appropriate cybersecurity oversight and preparedness should be key factors in evaluating potential business combinations. To this end, acquiring companies must carefully consider the scope of their cybersecurity due diligence efforts and the level of expertise of those performing it.
Informing the Board – Disclosure Controls and Procedures
Proper board oversight requires that the board be fully informed about both the effectiveness of existing cybersecurity measures and the importance of any cyber incidents that have occurred. Disclosure controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company's business, evaluate the significance associated with such risks and incidents, facilitate open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. Companies must assess whether they have adequate disclosure controls and procedures in place to ensure that cybersecurity risks and incidents are timely identified, evaluated, and reported up the corporate ladder to the board and appropriate management personnel.
Board Focus – Risk Management and Oversight
Board oversight also requires that directors understand the nature of cybersecurity risk and prioritize their oversight of cyber preparedness, detection, response, and disclosure. Boards should receive periodic updates from management and any relevant expert advisors on the company's compliance with applicable standards. Boards must be given relevant, objective and reliable information, presented in business-centric terms in order to understand the risks facing their organization and determine whether management is managing the risk appropriately relative to the company's risk tolerance and overall strategy. Trusted third party advisors, including outside counsel, can be a valuable resource in educating and assisting companies in organizing their enterprise risk management and oversight to incorporate cybersecurity issues. Companies should also consider adding a technical expert to their subcertification and/or disclosure committee procedures, or include regular consultation with appropriate technical personnel and advisors.
Considerations for Structuring Board Oversight of Cybersecurity
1. Tailored Oversight: Cybersecurity risks vary by company, and a company should tailor its approach to its particular business, including the data for which it is responsible (especially personally identifiable information, such as payment or health data, as well as proprietary data and third-party data) and the risks to that data.
2. Structure of Oversight: Boards oversight of cybersecurity can be achieved in a variety of ways. In many companies, the audit committee retains primary oversight of cybersecurity risks, consistent with its role in oversight of enterprise risks generally. However, in some companies it may make sense to assign primary cybersecurity oversight to a risk committee that oversees a range of the company's enterprise risks or a technology committee focused on oversight of technology-related risks. A few companies have created a designated cybersecurity committee for this purpose. And in some companies, the full board maintains oversight responsibility. Cybersecurity is not an area that lends itself to a "one size fits all" model, and each company should choose the approach most appropriate to its business. Any oversight structure should include regular meetings with the company's chief information security officer (or equivalent), and there should be appropriate protocols for elevating information about significant cybersecurity risks and incidents that arise between those meetings.
3. Measurement Tools: The board (or relevant committee) should evaluate the company's cybersecurity risks and the effectiveness of its controls to address those risks, using appropriate benchmarks to industry standards and regulatory requirements, and an awareness of the ever-evolving state of the art of cybersecurity technologies and best practices. Directors will need to decide who should make those evaluations (management, internal audit, an external advisor, or some combination thereof) and should have a "dashboard" to look at critical issues, assess how the company is doing, and watch for trends. This process can be similar to the board's oversight of audit processes, and should provide directors with an organized overview covering key cybersecurity initiatives, the status of the company's response plans and any potential breach activity.
4. Crisis Management Team and Incident Response Plan: An effective cybersecurity strategy requires expediency in responding to a breach and resiliency in addressing and recovering from such a breach. Having a crisis management team in place, including representatives from investor relations, IT, legal and management, allows the company to: (i) respond quickly and effectively to a cyber incident, (ii) gather information in order to craft accurate disclosure, (iii) address shareholder concerns when information is released to the market, and (iv) understand the role of outside counsel in leading forensic investigations and maintaining privilege. The board (and/or relevant committee thereof) should evaluate the company's preparedness for a possible breach and consider whether the response plan enables the company to complete the steps listed in (i)-(iv), above.
Key personnel, including those responsible for corporate communications, should be periodically trained on their responsibilities in the event of a cybersecurity incident and companies should consider conducting cyber breach simulations to test for weaknesses and prepare personnel for action in the event of a true incident. Companies also should consider the advice of qualified cyber counsel in order to formalize, organize, update, and test the adequacy of their incident response and data breach notification plan.
Directors should also evaluate the company's disclosure controls and procedures regarding cybersecurity information, including appropriate restrictions on trading by corporate insiders if management is investigating a potential breach. Companies should be mindful of the SEC's recently-issued interpretive guidance on cybersecurity disclosures, which highlights the risk of corporate insiders trading in advance of disclosures regarding material cyber incidents. The SEC has also recently brought enforcement actions against technology-related employees who traded in advance of a company's public disclosure regarding a material cybersecurity breach.
5. Red Flags: Directors should be alert for red flags which might indicate that cybersecurity resources are insufficient and, if appropriate, request an independent assessment of the company's cybersecurity programs. Directors should be mindful of cyber incidents at peer companies and critical vendors, which can provide insight into the types of attacks the company might be subject to as well as highlight potential systems and supply chain vulnerabilities that should be addressed.
While board oversight of cybersecurity is critical, it is important to recognize that the directors' role is to oversee the company's risk management, not to manage those risks themselves. Directors do not need to know how specific cyber protection and detection technologies work, and they do not need to track the latest advances in this space; instead, the board should focus on ensuring that the company identifies and assesses its key risks through adequate policies, procedures, technical resources, personnel, and organizational structures, tracks and manages those risks effectively over time, keeps leadership fully informed, and discloses incidents and other material cybersecurity risks to the full extent required.