"/> "/>
Cyber security

Corporate TIPS: Cyber Risk - The Board's Role

by Molly Z. Brown & Jarman J. Smith

Over the last two years, the COVID-19 pandemic caused Directors to broaden organizational priorities and focus on technology risks related to ensuring operations continue smoothly. As we move back to the new “normal” it is time to revisit cyber-related risk management. This blog posting will focus on directors’ board governance contributions to managing cyber risk.

Directors’ Contributions to Cyber Security

Directors are typically tasked with the responsibility to oversee management’s handling of risk and the review and approval of policies and procedures. Cybersecurity, technology, and loss of data risks represent a sizeable part of that risk matrix, with cybersecurity and data loss being the top risks. In Marsh & McLennan’s 2020-2021 Board Survey, the top three weaknesses identified by Directors in a survey dominated by COVID-19 risks were: Digital Competence, Opportunity Management, and Technology Infrastructure.   

It is important to underscore the importance of this trend because it has not really changed in the last ten years. Looking back in 2012, a global survey identified data security and data loss as the top risks.

Director Responsibilities: Cyber Governance Best Practices

While Board members must ensure first and foremost that they are disinterested decisionmakers and act in good faith, when making decisions regarding cybersecurity and cyber event risk management the fulfillment of director duties requires following a few simple rules:

  • Be well-advised and ensure professionals are well-qualified and have the Board’s confidence. Professional advisors should include:
    • Outside lawyers
    • Cyber Consultants
    • Crisis Management Communication Professionals
  • Make sure the Board is comfortable with the cybersecurity processes in place: 
    • Timing for completion of actions and assessments following a cyber incident
    • Communication timetables following cyber incident (both internally and externally)
    • Board/Board leadership involvement
    • Record-keeping
  • Ensure directors are informed, meaning the directors have:
    • Asked necessary questions
    • Examined assumptions
    • Reviewed relevant material information reasonably available for decision-making
  • Keep up with relevant demands and expectations for Board conduct, including having the necessary expertise on the Board to make decisions
  • Ensure that confidential information and non-public information remains confidential

By satisfying these rules, Boards can position themselves to mitigate risk; satisfy the company, shareholder and stakeholders; and most importantly, for the directors to establish a pattern of behavior that is consistent with satisfaction of the Business Judgment Rule. 

Application of the Business Judgement Rule

The “Business Judgment Rule” is invoked by directors in lawsuits when a director or directors take an action that affects the corporation, and a plaintiff alleges that the director violated the duty of care.  Under the Business Judgment Rule, a court will uphold the decisions of a director; provided that they are made in good faith and with the care that a reasonably prudent person would use, and with the reasonable belief that the director is acting in the best interests of the corporation.

In recent years, Courts have relied on the Business Judgment Rule to avoid holding management liable for cyber events committed by others. In 2016, the United States District Court of Minnesota dismissed derivative claims against individual defendants related to directors and managements alleged failures concerning Target’s data breach ruling that it was not in the best interest of the company to pursue them. Nevertheless, Boards need to be proactive about cybersecurity risks. Regulators are already imposing enhanced cybersecurity requirements in healthcare, insurance, and financials. In fact, contract provisions often have various cybersecurity requirements that can present procurement risks for companies. 

In determining whether a Board has satisfied its duties, the Board is entitled to rely upon outside professionals that are providing advice to the company and the Board. Typically, in context of a cybersecurity attack this will include cybersecurity consultants, lawyers, and media crisis experts that may be utilized in the event of a cybersecurity incident or in advance thereof, to prevent such an attack. The Board should proactively appoint and approve these professionals as part of its cybersecurity event response plan. Moreover, the Board should be satisfied with the reporting process, policy review, and cyber incident plan implementation/update, so that it can best assure its satisfaction.  

It goes without saying that Board diversity today includes gender and race; however, it also includes satisfying all of the areas of expertise that is needed to serve the company well. More and more we are seeing companies evaluated by investors on the expertise they have within their Boards. In evaluating the satisfaction of Board members’ happiness with the expertise among the other members, the best tool available is the annual Board survey. We recommend Board surveys include an objective review for each Board member of their own expertise and assessment of whether they believe the Board has all the expertise that it needs.  

Role of Board Surveys

Board surveys can be an effective tool in satisfying the Business Judgment Rule and ascertaining the Board’s satisfaction with the expertise on cybersecurity and technology present on the Board. For example, beliefs about whether the Board has sufficient expertise can be assessed through survey questions, such as:

  1. Does the Board have sufficient technology and cybersecurity risk expertise on the Board of Directors?
  2. Does the Board feel confident in the professionals recommended by management in the Cyber Response Plan, including lawyers, cybersecurity consultants, and public relations crisis professionals?
  3. Do Board members have individual expertise in technology and cyber security?
  4. Does the Board believe areas of risk management need additional resources devoted to them?
  5. Are there areas that Board members believe should receive more attention at meetings?

A good Board survey elicits responses that might not be coming out in a meeting but may need addressed. The trends illustrated in Board surveys should be utilized to assist the nomination committee in its design of new director or executive searches, and to help craft Board education and agendas for the year. It is also important for management to work together to complete the aforementioned questions with those informed about cybersecurity and technology taking the lead. By being responsive to survey results, the Board and management can show the measures that they took to ensure adequate risk protection. Thus, ensuring that it has satisfied the basic requirements of the Business Judgment Rule when the inevitable cyber event occurs.


Republished with permission of the author. This article originally appears here

Molly Z. Brown is Of Counsel in Brouse McDowell’s Business Transactions & Corporate Counseling Practice Group. Her practice focuses on public and private securities offerings, mergers and acquisitions, corporate governance, and compliance matters. Molly brings significant experience and knowledge leading securities transaction and mergers and acquisitions teams to successful completion of transactions that are revenue generating for clients. 

Jarman J. Smith is an associate in Brouse McDowell’s Business Transactions & Corporate Counseling Practice Group. After graduating cum laude with a Bachelor of Business Administration, Marketing, and Business Prelaw from the Ohio University College of Business, Jarman went on to complete his Juris Doctorate at the Ohio State University. Jarman has extensive research experience, having served as a Research Assistant at the Ohio State University Moritz College of Law. 


Board composition +
Refreshing Your Board of Directors
Patrick R. Dailey, Ph.D. and Joel M. Koblentz
Battle For the Boardroom
Ludo Van der Heyden and Chris Howells
Night of the Living Board
Matt Palmquist
Strategy & innovation +
The "Third Team" Approach to Board Effectiveness
Denis Mowbray and Coral Ingley (both from Auckland University of Technology)
Tapping The Strategic Potential of Boards
Chinta Bhagat, Martin Hirt, and Conor Kehoe
Board supervision +
Best Practices: Non Profit Governance
McDermott Will & Emery
Value-Focused Corporate Governance
Christian Orglmeister, Marcos Aguiar, and Daniel Azevedo
The Trouble With Too Much Board Oversight
Olubunmi Faleye, Rani Hoitash and Udi Hoitash
Culture +
Corporate Culture, Not Lip Service, Counts
Luigi Guiso, Paola Sapienza and Luigi Zingales
Building a Forward-looking Board
Christian Casal and Christian Caspar
Team building +
Collaborate Better
Leigh Thompson
Outgoing CEOs Shouldn't Pick Their Replacements
David F. Larcker, Stephen A. Miles, and Brian Tayan
Five Things Every CEO Must Do in the Next Era of Globalization
Hans-Paul Bürkner, Arindam Bhattacharya, and Jorge Becerra
Compliance +
Leadership +
Risk management +
Exec. evaluation & comp +
Surviving the Sophomore Slump: Moves That Matter The Most
Roselinde Torres, Judy Johnson, James M. Citrin, and Susan S. Hart
Leapfrog Succession: Trend in Appointing CEOs
Roselinde Torres, Gerry Hansell, Kaye Foster, and David Baron
Cyber security +
Why Senior Leaders Are On The Front Line Against Cyberattacks
Tucker Bailey, James Kaplan, and Chris Rezek
Corporate Governance in the Age of Cyber Risks
In collaboration with RANE (Risk Assistance Network and Exchange)
The Board’s Role in Managing Cybersecurity Risks
Ray A. Rothrock, James Kaplan, and Friso Van Der Oord
Featured +

Your library is currently empty. Browse the Boardspan Library to get started.

We use cookies to personalize content and to provide you with an improved user experience. By continuing to use this site you consent to the use of cookies.
Please visit our cookie policy for further details.