Cybersecurity a Risk for Boards of Directors

Reports and survey data clearly indicate that cyber attacks on businesses are pervasive and growing rapidly. Various reports estimated the annual cost of cyber crime in 2015 at $400 billion to $500 billion, an amount that quadrupled since 2013 and that is forecast to quadruple again by the end of the decade.

Although this trend should be alarming for all companies, cybersecurity is particularly important for companies in the defense industry, which face significant regulation and reporting requirements with respect to their government contracts and heightened risk of sophisticated attack from hostile governments and non-state actors due to the highly sensitive nature of some of their programs.

In addition to posing fundamental business, security, contracting and reputational issues, cybersecurity presents a governance challenge for boards of directors. However, boards can take practical steps to reduce the possibility of a catastrophic cyber attack and defend their conduct in the wake of an event.

The best-designed network security plan in the world will be as ineffective as the compromised system on which it is saved if the board of directors is not committed to developing a corporate culture that takes cybersecurity seriously. This process does not require that directors become technical experts on such threats, but rather that the board emphasize and cultivate a culture of awareness and accountability throughout the organization. Steps that boards can take in this regard including the following:

• Ensure that cybersecurity is addressed by the board committee charged with risk oversight;
• Emphasize that responsibility for compliance with the cybersecurity plan and achievement of plan objectives is not a task for the information technology function, but instead an obligation that transcends the company’s reporting structure;
• Mandate a company-wide cybersecurity training program and instruct management to review and update existing training programs to address new threats;
• Develop procedures to provide for timely internal reporting of cyber breaches and the discovery of new risks;
• Incorporate cybersecurity objectives into the incentive compensation structure for the CEO and other senior managers;
• Include cybersecurity oversight in director education programming and;
• Include experience managing cyber risks in director recruitment and in the board’s evaluation of the skill set of the board as a whole.

As cybersecurity has risen to become one of the most significant enterprise-wide issues facing companies, it has become clear that strong corporate governance requires that boards of directors actively engage on this issue. Without board leadership, a company’s cyber defenses may languish and its response to material cyber incidents is likely to be haphazard. Over time, this approach increases the risk of a significant loss that would harm shareholder value and expose directors to shareholder litigation — and the prospect of personal liability for directors.

Corporate directors generally owe their companies duties of good faith, care and loyalty. These duties encompass the board’s responsibility for risk oversight — the obligation to pay sufficient attention to business risks to be capable of acting on them in an informed manner. To protect against claims involving a failure of oversight, the board should consider adopting a reasonable information and reporting system that would include cybersecurity reporting and consciously monitor and oversee its operation.

To address the challenges presented by cybersecurity risks and, in a worst-case scenario assist directors in demonstrating that they have met their fiduciary duties, boards should be actively engaged in the development and oversight of companies’ cybersecurity strategy.

Such engagement should direct the design of a robust corporate cybersecurity plan that is tailored to the company’s business, industry and risk profile. It should also evaluate implementation and make adjustments to the plan as necessary to close any disconnect between the plan and the company’s actual practice. It should ensure allocation of sufficient resources to implement the cybersecurity plan and reevaluate existing controls to determine how they are affected by cyber issues and any new or amended plan that the company adopts.

The board should monitor cybersecurity threats and the effectiveness of the company’s plan, including timely identification, assessment and response to compliance challenges, plan deficiencies and the emergence of new risks as well as regularly dedicate board and committee meeting time to cybersecurity, including presentations from management and outside experts.

They should also consider conducting tabletop exercises with senior management to facilitate incident response planning and management preparedness, and consider whether to obtain or maintain insurance for cyber events.

Boards potentially can reduce the risk of post-breach investigations and litigation by maintaining robust documentation of cybersecurity oversight. In addition, companies’ disclosures should address this focus on cybersecurity, while emphasizing that significant risks nonetheless remain.

Boards should consider documenting their activities by identifying board and committee responsibility for cybersecurity as a component of the risk oversight function in corporate governance principles and committee charters.

They should retain board and committee presentations and reports relating to cybersecurity and document discussions in meeting minutes, and ensure that appropriate due diligence is conducted and reflected in reports for potential acquisition candidates, and that cybersecurity integration steps are documented for completed acquisitions.

Kerry Burke is a partner, and Matt Franker is a special counsel, in the securities and capital markets practice of Covington & Burling LLP.

Topics: