“Director Oversight of Cybersecurity Risks”
Middle-Market Legal Toolbox 04/19/13 Joseph D. Masterson
In recent months cybersecurity breaches involving national retailers, related privacy issues, and the hundreds of millions of dollars spent as a consequence have been repeatedly in the news and on the minds of the public, regulators, and businesses of all kinds. Heightened risks are not limited to retailers or to credit card data. Cybersecurity risks apply to any company that holds valuable intellectual property or sensitive personal or financial information, or that provides critical infrastructure. Statutory and regulatory requirements to protect against and promptly report cyber attacks are rapidly expanding from all levels of government, both in the U.S. and internationally. The SEC and other regulators are pressing for more disclosures about cybersecurity risks and responses, and some are calling for increased rights and remedies for the “victims” of any data breach.
Management has the primary responsibility to respond to these expanding threats and requirements by continuously updating and fully implementing the company’s cybersecurity policies and procedures. The board of director’s fiduciary duty of oversight complements management efforts by requiring that the directors assure that cybersecurity policies and procedures are up to date and being followed. Absolute security may be impossible for many companies, but these emerging risks and compliance requirements need to be addressed. The “Framework for Improving Critical Infrastructure Cybersecurity” was published by the National Institute of Standards and Technology in February 2014 (the “Framework”) as a voluntary guide for dealing with cybersecurity risks. The Framework is quite general and can be applied to all businesses regardless of size or industry.
As reported by Chad Brooks, board and board committees are and will become increasing involved in the plans for addressing cybersecurity risks. The new Framework is a useful starting point for a company’s board and management to review these issues. It outlines five core functions of cybersecurity planning that should be considered in the review:
- identifying key assets and risks,
- protecting against those risks by establishing procedures and safeguards that limit or contain adverse impacts,
- detecting breaches and other cybersecurity anomalies or events,
- responding to any breaches, and
- recovering from such events by restoring capabilities or services and building resilience.
Among the specific issues that companies and their boards should consider include:
- What is the company’s cyber attack profile and risk? What information might be of interest to potential hackers, and what data and systems could be corrupted or subject to a denial of access attack?
- Of the information and systems potentially at risk, are some absolutely critical to the business and its strategic imperatives while others are important but not as vital? The company’s reputation and compliance needs should be considered as well as its ability to operate. Personally identifiable information requires special protection.
- Do existing safeguards and corporate policies address all of the key risks? Do they include updated security technology and robust compliance policies for employees and vendors? Do they comply with emerging best practices?
- Is there active board oversight of the implementation and continuous improvement of all critical cybersecurity safeguards and policies?
- Does the company have a robust written “cyber crisis response plan” to mitigate potential harm and speed recovery if a breach occurs? Is the company prepared to investigate and respond quickly if a breach is detected? Is the response team in place, with clear responsibilities and authority? Does the company have a current communication plan for getting accurate information to regulators, affected customers, employees, the media, and other key audiences?
- Before a breach occurs, do the company’s public statements reflect both cybersecurity risks that the company faces (including newly emerging risks) and any safeguards or controls the company has implemented in response? In contracts with key customers, does the company limit its cybersecurity promises to those best practices it is able to satisfy?
- Is the company coordinating with suppliers to anticipate and minimize risks throughout the supply chain and to meet any customer-imposed requirements? Does the company have sufficient insurance for risks and expenses related to likely cybersecurity threats? Does it have redundant data storage offsite and redundant capabilities in case critical data or systems are corrupted?
Thoughtful responses to these and other questions will help to minimize the risks of a cybersecurity breach and to recover quickly if one occurs. Appropriately documented planning and safeguards also will help protect both the company and the board if breaches nevertheless occur.