April 2023 Issue
As the prevalence and severity of cyber incidents increases, companies face escalated cyber risks, including operational and business losses, as well as civil liability and regulatory scrutiny resulting from a cyber incident. With the continued expansion of state, federal and global privacy and security laws, along with changes in high-profile enforcement activity, privacy and security present operational, reputational and compliance risks that directly impact the board of director’s fiduciary obligations in their oversight function.
Board fiduciary obligations
The duty of care obligates good faith oversight of risk from the board. According to Caremark Int’l Inc. Derivative Litig, a breach of the duty of care arises in two contexts: (i) where liability “follow[s] from a board decision that results in a loss because that decision was ill advised or ‘negligent’”; and (ii) where liability “arise[s] from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented [loss]”. Put simply, a director owes a duty to exercise good business judgment and to use ordinary care and prudence in the operation of the business.
Unfortunately, this broad discretion leaves little guidance for constructing controls and monitoring risks arising from the ever-changing cyber security landscape. The need for guidance grows more urgent as external parties increasingly bring actions related to cyber security breaches: namely, regulators expanding their rules and enforcement efforts and plaintiffs increasingly bringing derivative suits for losses resulting from cyber incidents.
Evolving regulatory expectations for board involvement with cyber security
In this vein, the US Federal Trade Commission (FTC) has provided guidance that can help boards take preventative steps against cyber risks and regulatory scrutiny. Likewise, the US Securities and Exchange Commission’s (SEC’s) proposed cyber disclosure rules for public companies and related commentary provides perspective on its regulatory enforcement priorities and strategies.
The FTC’s guidance for proactively addressing cyber security falls into two broad categories. First, cyber security must be managed on an enterprise-wide level and must be diligently overseen at board level. The board should be regularly informed, via security briefings, on cyber risks to the company. Boards can rely on the advice of management, but that team should source its members from all parts of the organisation. In addition to information security (IS) or information technology (IT), cyber security teams should include business and legal representatives, as well as members of departments that manage sensitive information, such as human resources, finance or accounting. Second, boards should consider security of the company’s cyber assets from cyber attacks as the metric for success rather than compliance with the minimum obligations imposed by law. This metric makes the board’s oversight efforts nimbler, as it focuses their attention on the rapidly evolving cyber threats rather than the comparatively slower-evolving regulations.
Likewise, the SEC’s proposed rules related to cyber security require disclosure of both proactive and reactive steps taken by management and the board. Proactively, listed companies will have to expand Form 10-K and S-K disclosures to include the company’s governance policies, if any, to identify and manage cyber security risks, the board’s role and expertise in cyber security, if any, and management’s role and expertise in assessing and mitigating cyber risks. Reactively, the proposed rules require Form 8-K disclosure of material cyber incidents within four business days. Thus, management’s response to cyber security is always a critical concern, not just on a yearly basis.
These new rules, expectations and related guidance indicate a growing trend in the civil and regulatory enforcement landscape: management must keep the board abreast of essential risks relating to cyber security, and the board must have processes in place to competently assess such risk to ensure the company is properly addressing or mitigating them.
Optimising cyber security oversight
When structuring cyber security oversight systems, boards should evaluate the structure of their own efforts in overseeing the system and responding to red flags, where they will situate cyber security expertise within the structure of the corporation, and the specific risks and business priorities of their corporation.
Structuring board oversight
Regardless of whether oversight is delegated to a specific committee, the full board should require regular, comprehensive briefs, that are offered in jargon-free language. This is especially true in industries where cyber security is a critical concern since the entire board should be apprised of the paramount risks to the corporation’s core business. Indeed, some industries may only require these regular oversight updates for the entire board, rather than expending additional committee resources on cyber security.
However, if boards choose to delegate cyber security oversight to a committee, each option carries its own risks. Audit and risk committees already have established procedures for overseeing compliance and risk issues. Thus, they would be able to integrate oversight of cyber security as part of their enterprise-wide monitoring. However, audit committee members are usually appointed for their financial expertise, and risk committee members may be primarily attuned to the hyper-specific industry-related concerns of the business. Therefore, monitoring a risk as rapidly evolving and as critical as cyber risk may be too much for these committees to effectively take on while maintaining their focus on their other priorities.
If a corporation’s cyber risks are especially severe or complex, and if the business’s size and resources allow, then boards should consider creating a cyber security committee. However, these committee members must keep the corporation’s practical industry needs in mind. This is especially true when considering adding bleeding-edge tools to pre-existing security systems. These committee members must still avoid excessive cost to the corporation and must ensure that each of their tools works robustly in sync with the other risk management systems in the company. A committee of specialists must be an asset to the overall business and should avoid approving cost overruns for untested and poorly integrated tools.
Positioning cyber security expertise
A corporation may rely on cyber security experts positioned in the boardroom, within management, hired externally or any combination thereof. While the entire board should know the most prevalent, severe and emerging threats to their industry, adding a board member with a cyber security background may be necessary.
Board members should also consider requiring management to appoint a chief information security officer (CISO) who is regularly involved in both large-scale decision making and day-to-day risk management and threat response. The CISO plays a critical role in educating the board or board committee on cyber security, regularly reporting on the cyber security programme to the board, readily informing the board of emerging threats, and helping the board construct controls that detail the company’s risk appetite and tolerance, performance metrics and threat response procedures.
Lastly, if boards choose to outsource either regular cyber security control programmes or periodic ‘penetration tests’ or ‘ethical hacks’ to test the effectiveness of their controls, they should perform due diligence on all parties handling the company’s sensitive information.
Specifying the corporation’s cyber security needs
Finally, boards should ensure they are informed of several specific categories of information so that they can make decisions that balance risk mitigation and the companies’ business priorities.
To determine what an organisation’s risk appetite is (or should be), boards should require management or external cyber security advisers to regularly identify the organisation’s ‘crown jewels’, which are the most valued data sets to the business. For example, for healthcare this could be client data; for retailers, credit card data; for defence and tech, intellectual property. Then, boards should ask management where these crown jewel data sets are stored and where they can be accessed. This is not a static process. As management enters deals with third-party vendors, or as a new business is acquired or merged into an organisation, the access points to the crown jewel data sets change and must be rebriefed to the board.
The landscape of an organisation’s compliance system can also change with the addition or transition of personnel or resources. Because cyber criminals can take advantage of human error and failure to follow processes as much as technological weaknesses, new personnel must be trained to follow the organisation’s processes and departing personnel must be securely but quickly off-boarded.
Once boards have an adequate understanding of the technical priorities and vulnerabilities for their organisation, they should be provided qualitative and quantitative metrics of the potential damages arising from a cyber security breach, the effectiveness of their controls at detecting threats and escalating them to senior management and the board, and the effectiveness of existing controls after breaches have occurred.
With these detailed and measurable metrics and data points relating to the company’s risks and the existing controls’ effectiveness, boards will be able to meaningfully engage in oversight conversations while optimising investment into cyber security.
Matthew Baker is a partner and Jack Booth is an associate at Baker Botts. Mr Baker can be contacted on +1 (415) 291 6213 or by email: matthew.baker@bakerbotts.com. Mr Booth can be contacted on +1 (650) 739 7519 or by email: jack.booth@bakerbotts.com.
© Financier Worldwide
BY
Matthew Baker and Jack Booth
Baker Botts