“What directors should know about a company’s readiness to deal with a data breach”
Inside Counsel 07/09/15 By Margaret Utterback
A parade of horribles usually follows the news that a company has experienced a significant data breach. The consequences can include loss of customers, lasting harm to the company’s reputation, significant costs relating to breach response, distraction from a company’s business goals, shareholder suits, and loss of competitive advantages, among others. Naturally, boards of directors are increasingly concerned with identifying the risks posed to their companies by possible breaches. According to a recent survey of more than 200 public companies, approximately 80 percent of directors reported that data security was a topic at every board meeting. In order to be prepared address a data breach, directors must be informed and exercise oversight to ensure that a company has sufficient systems and procedures in place to address cybersecurity issues.
Identify Internal Champions. First of all, directors must identify the leader and team responsible for overseeing cyber risk. Such a team should be cross-disciplinary and must have access to and leadership from the C-suite. As is the case with any corporate risk management efforts, cybersecurity must be understood as an enterprise-wide concern. The board must understand the intersection between company security policies, budgets, assets, and breach response. Many corporations task a committee such as the audit committee with cybersecurity, but it is increasingly common for a corporation to create a separate independent cyber risk committee. The risk management function will vary depending on the legal and regulatory framework in which a company operates.
Identify Key Information and Its Use. Second, in order to protect confidential information, the board must ensure that the cybersecurity risk management team understands what the company’s most significant data are, where they reside, and how the company’s systems intersect. The National Institute of Standards and Technology has established a very helpful voluntary framework to evaluate and reduce cyber risks. The cyber risk team must know the greatest risks to the company that might result from compromised data. The board must assess both internal and external threats and evaluate the company’s risk. It is essential that this process include an evaluation of risks posed through supply chains and third party vendors’ use of the company’s systems. It will then be possible to prioritize and establish appropriate protection measures.
Provide Adequate Resources. Third, directors must allocate company resources to implement a protection strategy. Data security comes at a cost that must be balanced with the need to deliver results to shareholders. As is true of any core strategy, the protection strategy must be developed and implemented as a long-term, enterprise-wide strategy. Part of this allocation must include an evaluation of insurance policies to determine whether appropriate coverage is in place. The board must also take into account industry standards. Any allocation of resources must take into account both the relative risks to and the strategic goals of the company, as well as other priorities of the company.
Monitor Changes. Fourth, in order for any allocation of resources to be reasonable, the board must be cognizant of developing technology and risks. As with any other risk-management effort, the board must be kept informed of the company’s evolving information profile, status and emerging threats. The company’s data security capabilities and challenges must be re-assessed regularly, and the board must have a line of sight into these efforts. The board may consider engaging experts to provide periodic reports, in addition to relying on internal resources. In addition, the board may choose to implement cybersecurity training.
Prepare Breach Response Plan. Fifth, once the knowledge foundation has been established, the board must create a breach response plan. The plan should include an internal communication protocol, to ensure that information is shared effectively and in a timely manner to allow a rapid response to a breach. In addition, the plan must include an external communication protocol to guide the company in notifying law enforcement, regulators, stakeholders, and the general public. It should also identify the components of the response team. The team should include representation from the C-Suite, legal, human resources, public relations, information technology and other key stakeholders to enable decisions to be made.
Test Capabilities Regularly. Finally, the board must ensure that the cyber protocols are regularly examined and tested to ensure that they remain sufficient and appropriate. Just as companies conduct emergency drills for fires, they should also conduct drills to ensure that response plans are implemented effectively. The board should confirm that sufficient system redundancy exists to overcome operational challenges resulting from a breach and its investigation, such as the need to take certain systems offline. By establishing a security-conscious corporate culture from the top down, the board effectively reduces risk to the company.
The old adage “an ounce of prevention is worth a pound of cure” is equally applicable to cybersecurity. By obtaining the necessary understanding of a company’s risk profile, key data, and systems technology, directors can ensure that appropriate risk management tactics are implemented. If the board establishes the necessary tools and protocols, the company will be equipped to respond to a breach more nimbly in order to minimize the impact of any breach. The board’s oversight is essential to ensuring that data security is the responsibility of every employee.