Legal Threats Facing Boards in the Prevention and Management of Cybersecurity Risks

There is no question that the topic of cybersecurity is top of mind for directors and officers of all types of companies. In the wake of cyber breaches, the role of the board of directors in cybersecurity risk management has come into focus in response to increasing regulatory scrutiny and the rising threat of private shareholder litigation.

In the performance of their duties, boards should remain cognizant of the legal threats that may arise in the event of a cybersecurity breach. In recent years, federal and state regulatory bodies have increased their focus on the cybersecurity practices of companies before, during and after a breach. Boards of directors will be expected to take a proactive role in supervising their companies’ cybersecurity controls and should account for applicable regulatory mandates or guidance in ensuring that such controls are appropriate.

“Although directors do not have to become cybersecurity experts, boards should be informed of the cyber risks facing the company and be satisfied that appropriate controls are in place.”

In the realm of private litigation, the most likely legal threat to boards is shareholder derivative litigation brought in the aftermath of a breach. These suits, which have been filed following high-profile data breaches against companies such as Wyndham Worldwide and Target, typically allege that boards and executive management breached their duties of care and loyalty, wasted corporate assets and were unjustly enriched leading up to and in the wake of the data breach. If a board is informed and used reasonable business judgment, its decisions should be protected by the “business judgment rule.”[1]

Although directors do not have to become cybersecurity experts and may rely on information and reports from management and others regarding cyber risk, boards should be informed of the cyber risks facing the company and be satisfied that appropriate controls are in place. Boards should receive regular reports on issues such as the evolving cybersecurity threat and the company’s response, the incident response plan and other material cybersecurity issues.

In the event of a breach, boards should be informed about the scope of the breach and its business and legal implications, and should be updated as events unfold. Finally, because any regulatory inquiries or litigation would likely rely on written documentation of board supervision, the company should maintain a full record of the information provided to the board and the board’s consideration of cyber-related issues.

The board may want to engage outside counsel to evaluate the board’s meeting minutes and other materials with an eye toward production in the inevitable shareholder litigation. Outside counsel can also educate the board on its duties and present at a full board meeting on the adequacy of its materials and efforts.

[1] The business judgment rule is a legal doctrine grounded in the presumption that corporate officers and directors act in the best interests of the companies they serve and which protects their good faith, informed and reasonable business decisions from being second-guessed by courts.  See, e.g., Palkon v. Holmes, et al, No. 2:14-cv-01234 (SRC), (D.N.J. Oct. 20, 2014) (dismissing derivative complaint against Wyndham Worldwide directors and officers for failure to adequately plead that the shareholders’ demand was refused in bad faith or without a reasonable investigation given the business judgment rule’s protections).


Key Takeaways for All Board Members:

  • Be informed of the cyber risk facing the company and be satisfied that appropriate controls are in place.
  • Be aware that legal threats may arise in the event of a cybersecurity breach.
  • Take a proactive role in supervising your company’s cybersecurity practices.
  • Ensure that cybersecurity controls account for applicable regulatory mandates.
  • Require regular reports on evolving cybersecurity threats and your company’s response.
  • Be sure that you are kept informed in the event of a breach.
  • Consider hiring an outside consultant to audit the board’s meeting minutes to ensure they would support the company during shareholder litigation.

 


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.