Fri, Jun 21, 2019
In-house counsel, and outside counsel who work with them, technically represent the company. They are fiduciaries to the corporate entity, which has as its highest authority the board of directors. Accordingly, an important part of the general counsel’s role is to provide sound legal compliance and legal risk-mitigation advice to the board.
While it is a new risk, cybersecurity falls squarely within the traditional “risk oversight” obligations of corporate directors. Directors have fiduciary duties to act in good faith and with care and loyalty, which, in the cyber context, includes directing management to design, implement, and enforce a robust cybersecurity compliance program. To effectively do so, directors must be educated and informed about the company’s risk profile, threat actors, and strategies to address that risk; they must receive regular briefings from management and metrics to understand progress toward the desired state.
Indeed, the Securities and Exchange Commission recently emphasized the criticality of the board’s cyber activities to the marketplace.1 In its 2018 cyber guidance, the SEC stated that disclosure in annual reports or proxy statements of the board’s role in risk oversight of a company pursuant to Item 407(h) of Regulation S-K should include a discussion of the nature of the board’s role in overseeing the management of cybersecurity risks that are material to a company’s business. In addition, the SEC observed that disclosures on how the board engages with management on cybersecurity issues will allow investors to assess how a board of directors is discharging its risk oversight responsibility in cybersecurity matters.
The foregoing is not surprising given the potential severity that breaches can have on a company’s performance and value, including its brand and reputational assets. That has spurred shareholder derivative suits against directors and officers in the aftermath of major data breaches. In these suits, plaintiffs allege that the directors and officers failed to ensure effective cybersecurity programs, recklessly ignored security warnings and various red flags, and, as a result, the company had inadequate controls and procedures to protect personal and financial information against unauthorized access and acquisition.
We offer three insights from the frontlines of governance work that we believe have the dual benefit of not only helping to mitigate risk for the company, but also helping directors and officers to fulfill their cyber fiduciary duties:
Read Tips from the Trenches: Make Your Company Less Attractive to Cyber Enforcement
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
Sources
1 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 C.F.R. pts. 229, 249 (2018).
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Services include drafting communications, full-service mailing, alternate notifications.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.