Cyber security and privacy: fiduciary considerations and Dodd-Frank’s enterprise risk management
April 2019 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
April 2019 Issue
Technology, and the risks posed by our use of it, are ubiquitous. As more companies recognise cyber and data privacy matters as enterprise level risks, many struggle with how to address it as a top line risk and to ensure its directors and executives fulfil any relevant fiduciary duties under US law. While plaintiffs’ lawyers continue to challenge companies and directors in data breach litigation by asserting breaches of fiduciary duty and corporate negligence, there remains uncertainty in boardrooms and executive suites as to what this risk means for the individual director or executive. While there is no shortage of consultants and technologies to mitigate these risks, companies, directors and executives must consider reducing the risk through evaluation of traditional legal precedent governing their fiduciary responsibilities and ensuring any applicable negligence standards are surpassed.
This is particularly true in light of the increasing scale of cyber risk. Cyber crime harm is expected to hit $6 trillion annually by 2021, according to Cybersecurity Ventures. A country with $6 trillion in gross domestic product would rank third globally, between China and Japan, based on World Bank statistics for 2017. Yet, despite the extent of cyber risk in organisations of all sizes, directors and executives agree that there remains confusion and opportunities for growth in the boardroom and in executive suites. Based on the authors’ personal experience and widely available published statistics, directors and executives continue to be challenged by, for example, whether: (i) cyber security oversight responsibility belongs to the full board, a specialised risk committee or the audit committee; (ii) the executive team has primary responsibility for cyber and privacy oversight versus the technology functions; (iii) the board should conduct independent assessments of the company’s cyber and privacy risks; and (iv) periodic summarised reporting is sufficient for the board to effectively evaluate management’s assessment and reaction to cyber and privacy risks.
The sheer magnitude of cyber risk often compels boards and companies to treat it as enterprise – top line – risk. Treating cyber risk as enterprise risk, a concept already acknowledged as prudent by US regulators, likely will help directors and boards satisfy any fiduciary duty obligations.
Cyber risk and fiduciary duties
Directors frequently ask legal counsel: how can we prevent individual and board liability as to cyber and privacy risks? While insurance can be a helpful backstop, it is important to proactively prepare your organisation, its directors and the board so that any potential liability is minimised. So, what if a director or the board: (i) fails to recognise and address the extent of a company’s cyber and privacy risks; or (ii) fails to oversee management’s prevention of employee fraudulent or criminal conduct within the company?
Although legal requirements vary within US jurisdictions and regulatory frameworks, and questions concerning potential liability are highly fact specific, Delaware jurisprudence provides a useful, initial reference point. Under Delaware law – the operative law for many US companies – directors of a corporation, generally speaking, owe both a duty of care and a duty of loyalty. See Smith v. Van Gorkom, 488 A.2d 858, 872-73 (Del. 1985). In the cyber and privacy context, however, the application of these duties is not yet well defined. And, while fiduciary duties are often discussed in theoretical terms, the “imposition of liability [on directors] requires a showing that the directors knew that they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty….” Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). But, this begs the question: what is a director’s or board’s duty to act in this context? And, if it has such a duty, what is the scope of the duty and what does it require?
As to business risk, which cyber and privacy risk may fall within at times, a director fulfilling his or her duty of care owed to the company shall “prior to making a business decision [inform themselves] of all material information reasonably available to them” and use a “critical eye” when assessing that information. Smith, 488 A.2d at 872. The business judgment rule under Delaware jurisprudence provides companies and boards with certain flexibility to make business decisions in the best interests of the company. However, the business judgment rule in the context of cyber or privacy risk is not panacea (not yet at least).
Delaware jurisprudence also suggests that boards may have duties with respect to preventing (or discovering) fraudulent or criminal conduct within a company. “Directors should… under Delaware law, ensure that reasonable information and reporting systems exist that would put them on notice of fraudulent or criminal conduct within the company.” In re Citigroup Inc. S’holder Deriv. Litig., 964 A.2d 106, 131 (Del. Ch. 2009). Cyber and privacy risk can blur any distinction between business risk (which can be protected by the business judgment rule) and legal risk analogous to the prevention or discovery of fraudulent conduct within a company. For example, cyber risk often materialises differently than ‘ordinary’ fraud or theft – the company is often a victim as the company’s assets are used to further the underlying fraudulent and/or criminal conduct (e.g., a business email compromise). Or consider a cyber incident involving the theft of protected individual customer information in a company’s possession – an asset valuable to the company while also potentially covered by applicable privacy laws or contract. What the company does next – the company’s response (what to investigate, the extent of any investigation, when to stop investigating, and to whom to report the outcomes of any investigation) – implicates business risk, but also implicates potential legal risk, regulatory risk and contractual obligations. Many of these decisions to address the risk – both proactively and reactively – could also implicate a board’s supervision of management.
The need for determining the appropriate scope of board oversight of cyber risk therefore requires business leadership and reporting and legal team counselling, and should include a coordinated and considered reporting structure with clear responsibilities delineated in policies and procedures. In our experience, there remains much room for consideration and improvement in a dramatically changing and evolving environment of cyber threats and privacy laws.
Enterprise risk committees and cyber risk: regulators take notice
Dodd-Frank’s imposition of enterprise risk committees provides a good option for structuring proper risk reporting to executive teams and the board. While SEC Commissioner Luis A. Aguilar identified this five years ago in prepared remarks delivered on 10 June 2014 to the New York Stock Exchange, entitled ‘Boards of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus’, many companies continue to find challenges on what to report up and how. In a segment entitled ‘Board Structural Changes to Focus on Appropriate Cyber-Risk Management’, Commissioner Aguilar offered the following comparison to the enterprise risk committees established in the Dodd-Frank Wall Street Reform and Consumer Protection Act: “Another way that has been identified to help curtail the knowledge gap and focus director attention on known cyber-risks is to create a separate enterprise risk committee on the board. It is believed that such committees can foster a ‘big picture’ approach to company-wide risk that not only may result in improved risk reporting and monitoring for both management and the board, but also can provide a greater focus – at the board level – on the adequacy of resources and overall support provided to company executives responsible for risk management. The Dodd-Frank Act already requires large financial institutions to establish independent risk committees on their boards. … [S]ome public companies have chosen to proactively create such risk committees on their boards...”
US regulators, with every passing day, are focused more and more on board oversight and routinely identify its role as essential in a company’s management of cyber security and privacy risks. Failure to act proactively may lead to regulatory enforcement actions and shareholder litigation. Every company will have to determine how best to implement an effective risk mitigation strategy. To this end, in a 2015 speech before the New York Stock Exchange (a year after the speech quoted above) Commissioner Aguilar recommended that boards: (i) be “appropriately informed about the global risks facing an organization or its broader industry”; (ii) “task[ ] appropriate personnel with monitoring and preparing for such [cyber] risks”; and (iii) “implement[ ] protocols to be able to quickly respond if and when such risks become a crisis event”. While time has passed since Commissioner Aguilar’s commentary, such steps are likely to assist directors and executives in fulfilling their fiduciary obligations given our anticipation that US regulators, in addition to the Federal Trade Commission, will continue to seek opportunities for cyber- and privacy-related enforcement actions. And, plaintiffs’ lawyers often follow suit.
Practical takeaways
The takeaways are plentiful, but there are a handful of ideas for adopting this framework of addressing cyber security and privacy risks.
Who? Ensure that your board is properly constituted to evaluate cyber risks, and that cyber and privacy matters are reported to the correct board constituency (e.g., the audit committee, a separate risk committee, or the full board).
What? Ensure that your board receives in-depth reporting with actual, relevant information and details. Provide the board with information to assess management’s performance. Ensure that your board receives not just technical reporting, but also appropriate legal counsel and business risk evaluation.
When? Ensure that your board receives properly timed reporting. For some entities with particular risks, the board may need and want reporting more frequently than annually.
Scott T. Lashway is a partner, and Christopher M. Iaquinto and Mara O’Malley are litigation associates, at Holland & Knight. Mr Lashway can be contacted at +1 (617) 305 2119 or by email: scott.lashway@hklaw.com. Mr Iaquinto can be contacted at +1 (617) 305 2092 or by email: christopher.iaquinto@hklaw.com. Ms O’Malley can be contacted at +1 (617) 854 1401 or by email: mara.omalley@hklaw.com.
© Financier Worldwide
BY
Scott T. Lashway, Christopher M. Iaquinto and Mara O’Malley
Holland & Knight