Over the last two years, the COVID-19 pandemic caused Directors to broaden organizational priorities and focus on technology risks related to ensuring operations continue smoothly. As we move back to the new “normal” it is time to revisit cyber-related risk management. This blog posting will focus on directors’ board governance contributions to managing cyber risk.
Directors’ Contributions to Cyber Security
Directors are typically tasked with the responsibility to oversee management’s handling of risk and the review and approval of policies and procedures. Cybersecurity, technology, and loss of data risks represent a sizeable part of that risk matrix, with cybersecurity and data loss being the top risks. In Marsh & McLennan’s 2020-2021 Board Survey, the top three weaknesses identified by Directors in a survey dominated by COVID-19 risks were: Digital Competence, Opportunity Management, and Technology Infrastructure.
It is important to underscore the importance of this trend because it has not really changed in the last ten years. Looking back in 2012, a global survey identified data security and data loss as the top risks.
Director Responsibilities: Cyber Governance Best Practices
While Board members must ensure first and foremost that they are disinterested decisionmakers and act in good faith, when making decisions regarding cybersecurity and cyber event risk management the fulfillment of director duties requires following a few simple rules:
- Be well-advised and ensure professionals are well-qualified and have the Board’s confidence. Professional advisors should include:
- Outside lawyers
- Cyber Consultants
- Crisis Management Communication Professionals
- Make sure the Board is comfortable with the cybersecurity processes in place:
- Timing for completion of actions and assessments following a cyber incident
- Communication timetables following cyber incident (both internally and externally)
- Board/Board leadership involvement
- Ensure directors are informed, meaning the directors have:
- Asked necessary questions
- Examined assumptions
- Reviewed relevant material information reasonably available for decision-making
- Keep up with relevant demands and expectations for Board conduct, including having the necessary expertise on the Board to make decisions
- Ensure that confidential information and non-public information remains confidential
By satisfying these rules, Boards can position themselves to mitigate risk; satisfy the company, shareholder and stakeholders; and most importantly, for the directors to establish a pattern of behavior that is consistent with satisfaction of the Business Judgment Rule.
Application of the Business Judgement Rule
The “Business Judgment Rule” is invoked by directors in lawsuits when a director or directors take an action that affects the corporation, and a plaintiff alleges that the director violated the duty of care. Under the Business Judgment Rule, a court will uphold the decisions of a director; provided that they are made in good faith and with the care that a reasonably prudent person would use, and with the reasonable belief that the director is acting in the best interests of the corporation.
In recent years, Courts have relied on the Business Judgment Rule to avoid holding management liable for cyber events committed by others. In 2016, the United States District Court of Minnesota dismissed derivative claims against individual defendants related to directors and managements alleged failures concerning Target’s data breach ruling that it was not in the best interest of the company to pursue them. Nevertheless, Boards need to be proactive about cybersecurity risks. Regulators are already imposing enhanced cybersecurity requirements in healthcare, insurance, and financials. In fact, contract provisions often have various cybersecurity requirements that can present procurement risks for companies.
In determining whether a Board has satisfied its duties, the Board is entitled to rely upon outside professionals that are providing advice to the company and the Board. Typically, in context of a cybersecurity attack this will include cybersecurity consultants, lawyers, and media crisis experts that may be utilized in the event of a cybersecurity incident or in advance thereof, to prevent such an attack. The Board should proactively appoint and approve these professionals as part of its cybersecurity event response plan. Moreover, the Board should be satisfied with the reporting process, policy review, and cyber incident plan implementation/update, so that it can best assure its satisfaction.
It goes without saying that Board diversity today includes gender and race; however, it also includes satisfying all of the areas of expertise that is needed to serve the company well. More and more we are seeing companies evaluated by investors on the expertise they have within their Boards. In evaluating the satisfaction of Board members’ happiness with the expertise among the other members, the best tool available is the annual Board survey. We recommend Board surveys include an objective review for each Board member of their own expertise and assessment of whether they believe the Board has all the expertise that it needs.
Role of Board Surveys
Board surveys can be an effective tool in satisfying the Business Judgment Rule and ascertaining the Board’s satisfaction with the expertise on cybersecurity and technology present on the Board. For example, beliefs about whether the Board has sufficient expertise can be assessed through survey questions, such as:
- Does the Board have sufficient technology and cybersecurity risk expertise on the Board of Directors?
- Does the Board feel confident in the professionals recommended by management in the Cyber Response Plan, including lawyers, cybersecurity consultants, and public relations crisis professionals?
- Do Board members have individual expertise in technology and cyber security?
- Does the Board believe areas of risk management need additional resources devoted to them?
- Are there areas that Board members believe should receive more attention at meetings?
A good Board survey elicits responses that might not be coming out in a meeting but may need addressed. The trends illustrated in Board surveys should be utilized to assist the nomination committee in its design of new director or executive searches, and to help craft Board education and agendas for the year. It is also important for management to work together to complete the aforementioned questions with those informed about cybersecurity and technology taking the lead. By being responsive to survey results, the Board and management can show the measures that they took to ensure adequate risk protection. Thus, ensuring that it has satisfied the basic requirements of the Business Judgment Rule when the inevitable cyber event occurs.
Republished with permission of the author. This article originally appears here.
Molly Z. Brown is Of Counsel in Brouse McDowell’s Business Transactions & Corporate Counseling Practice Group. Her practice focuses on public and private securities offerings, mergers and acquisitions, corporate governance, and compliance matters. Molly brings significant experience and knowledge leading securities transaction and mergers and acquisitions teams to successful completion of transactions that are revenue generating for clients.
Jarman J. Smith is an associate in Brouse McDowell’s Business Transactions & Corporate Counseling Practice Group. After graduating cum laude with a Bachelor of Business Administration, Marketing, and Business Prelaw from the Ohio University College of Business, Jarman went on to complete his Juris Doctorate at the Ohio State University. Jarman has extensive research experience, having served as a Research Assistant at the Ohio State University Moritz College of Law.