Board oversight of cyber security
April 2018 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
April 2018 Issue
In recent years, as high-profile data breaches have led to corporate crises, the resignations of C-suite executives, and substantial financial, regulatory, litigation and reputational harm for companies, cyber security has become a paramount corporate governance issue for boards. Time is of the essence with respect to board preparedness, since waiting until after a cyber attack has occurred is too late and is certainly not a record of adequate oversight. Recognising that cyber security issues are complex, boards should also understand that the legal and regulatory environment, as well as the actual cyber threats, are changing rapidly and are fraught with uncertainty. Despite these concerns, there are a number of steps boards should consider taking with respect to their cyber security governance and oversight.
An enterprise-wide risk management issue
As the National Association of Corporate Directors Cyber-Risk Oversight Handbook notes, boards should frame cyber security as an enterprise-wide risk management issue. In addition to the collateral consequences of a breach, a significant cyber security incident may result in the immediate disruption of the company’s business, the loss of material non-public information that may be traded upon and the theft of the company’s trade secrets, confidential data and proprietary and customer information. Such cyber incidents can be profoundly stressful for boards and senior management, as the company may need to speak publicly about an incident at a time when it is attempting to understand the relevant facts as they are developing. As such, a board should evaluate cyber risks in the same way it assesses risks threatening the company’s performance or assets. The entire corporate enterprise, as well as contractors, service providers and consultants with access to the company’s information, must be part of managing the company’s cyber security risks.
It follows that boards should direct management to establish an enterprise-wide cyber risk management framework, subject to periodic oversight and review by the board. Boards should dedicate adequate resources to the framework selected, and provide clear instructions with respect to the delivery of cyber-related reports.
When establishing a cyber security risk management framework, a board should consider the nature of the company and assess its particular needs, given the availability of resources. There is no single optimal approach to establishing a framework, but ultimately any framework implemented should be consistent with the company’s overall risk management scheme and business objectives.
Understanding the legal implications
Additionally, it is critical that boards understand the legal implications of cyber security risks. With respect to cyber security, the legal and regulatory environment is evolving and boards should actively stay informed of the potential liability issues facing their companies.
In recent years, regulatory investigations and enforcement actions have become common in the wake of cyber incidents. In the US, both the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) have brought data security enforcement actions. While relatively less active in the past year, the FTC has brought over 60 cases against companies alleging “unfair or deceptive acts and practices” following data breaches. In March 2016, the CFPB brought its first data security enforcement action against a company for allegedly deceiving consumers about the company’s data security practices and the safety of its online payment system.
In addition to the FTC and CFPB, the US Securities and Exchange Commission (SEC) has indicated that it will bring cyber-related enforcement actions when appropriate. SEC co-enforcement director Stephanie Avakian recently signalled that an enforcement action could be taken, based on inadequate or delayed disclosures of cyber security risks or incidents. Additionally, SEC chairman Jay Clayton recently stated that he is “not comfortable that the American investing public understands the substantial risks that we face systemically for cyber issues”.
Against this backdrop, in February, the SEC issued new disclosure guidance on cyber security risks and incidents that highlights the board’s role in oversight of cyber security risk management. The SEC stated that if cyber security risk is material to a company’s business, the company’s description of the board’s risk oversight function should include the nature of the board’s role in overseeing the management of that risk. In addition, the guidance states that “disclosures regarding a company’s cyber security risk management programme and how the board of directors engages with management on cyber security issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area”. The SEC also reiterated the importance of policies and procedures that ensure timely notification of material cyber incidents and prevent trading by directors, officers and other corporate insiders while in possession of material non-public information regarding a significant cyber incident experienced by the company. Boards should understand, and have comfort that the company is addressing, the SEC’s heightened focus on cyber security incidents and adequate and timely cyber security-related disclosures.
In addition to regulatory scrutiny and enforcement actions, it has become common for companies to face investigations by state attorneys general following data breaches. For example, in the aftermath of its massive data breach, Equifax is currently facing inquiries from 50 state attorneys general. Nearly all states have data privacy and breach notification laws, many of which require notification to the state attorney general after a breach, including breaches much smaller than those that have made headlines in recent years.
There are also industry-specific laws, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, that govern the protection of certain kinds of data and give rise to liability in certain circumstances. There are similar legal and regulatory regimes in virtually every country in the world and global businesses need to be aware and compliant.
In addition, many international regulations apply broadly to companies that collect any personal data of citizens of the relevant jurisdiction. Most notably, the General Data Protection Regulation (GDPR), adopted by the European Union, will take effect in May 2018. The GDPR codifies data protection rules for all companies that collect data from any EU citizen, and greatly expands individuals’ control over how and when their personal data is collected and used. Wherever businesses are chartered or operate, their boards need to understand the cyber security and data protection-related statutes and regulations applicable to their industries.
In the wake of cyber security incidents, companies may also face substantial civil litigation. Notably, in February, the US Supreme Court denied certiorari in CareFirst, Inc. v. Chantal Attias, in which the US Court of Appeals for the District of Columbia Circuit held that plaintiffs suing over a data breach had established standing by asserting there was a “substantial risk” that unauthorised access to their personal information could be used for identity theft, even though there were no allegations that such identity theft had occurred. The Supreme Court’s decision means that plaintiffs will have an easier time in the DC Circuit, if not elsewhere, establishing standing in the rising incidence of putative class action litigation due to data breaches.
And cyber-related litigation has not been limited to lawsuits against companies. Some boards of directors have faced shareholder derivative actions alleging that the board neglected its fiduciary duty in its oversight of cyber security issues. Notably, to date, directors have been insulated from liability through a showing that they fulfilled their duty to act in good faith, with the requisite loyalty and due care, with regard to cyber security and the incidents at issue.
The importance of cyber security expertise
Many boards rely on their audit committees to provide oversight over cyber risk management. However, the audit committee may find it challenging to provide effective oversight in this area because information security involves a highly technical expertise that differs significantly from an audit committee’s typical financial reporting focus.
To add to their expertise, boards should consider seeking new directors with specific cyber security governance skills relevant to the company’s business. However, senior-level cyber security talent, while in high demand, is also in short supply, which makes this option unrealistic for many companies. For similar reasons, it may not be feasible for a board to create a committee dedicated solely to technology and cyber security risks.
Ultimately, however, it is crucial that boards have access to cyber security expertise in the same way that they have access to financial reporting, legal and compensation expertise. Within the company, the board should ensure that the senior manager responsible for information security has sufficient independence from the chief information officer, as these roles may entail competing priorities regarding security and ease of access to electronic materials. Boards should receive regular reports on cyber security risk assessments and testing from the most senior employee with responsibility for information security. Boards should also understand and be comfortable with the company’s cyber incident response plan, including how the board is to be notified and updated with regard to cyber incidents.
In addition, boards should consider hiring independent experts to regularly assess and report on companies’ cyber security programmes and ongoing risks. Numerous independent cyber security firms and robust cyber security units at major accounting firms offer this type of expertise. Independent outside expertise can be particularly valuable in instances where a company may lack adequate in-house expertise to gauge the company’s cyber security preparedness and measure the potential impact of cyber security events. Even where a company believes it can adequately assess and report on these issues, an outside expert can provide an independent assessment that boards may find valuable. The outside expert’s view cannot replace, but may complement, that of internal information security personnel, who will understand the company’s systems, resources and needs in greater depth. As with independent auditors, the board can meet with the independent cyber security expert in a closed session.
Regardless of whether the board hears from both inside and outside cyber security experts, the board should ensure that the cyber security reporting it receives is meaningful and valuable to non-expert members of the board as they assess cyber security risk. The National Institute of Standards and Technology and the International Organisation for Standardisation offer cyber security reporting frameworks that are emerging as accepted baselines for cyber security assessment. These frameworks may help to present the company’s cyber security maturity and risk to the board in a way that is comprehensible and meaningful to non-experts in information security.
Engaging with the oversight framework
Once an oversight framework is developed, board discussions about cyber risk management should take place on a regular basis with sufficient time for discussion. In light of the cyber security reporting and advice it receives, the board’s discussions should situate cyber security risks on a spectrum, identifying risks to avoid, mitigate through insurance, accept or transfer, to the extent possible. The board should document its review and discussion of cyber security issues in the board minutes.
Given the complexity of cyber security issues and the fact that a cyber incident may ultimately be impossible to avoid, it is essential that boards engage early and actively on cyber security. While the risks cannot be eliminated, the risks of a significant cyber incident occurring or causing harm may be mitigated by a board that is actively engaged on these issues.
Francis J Aquila is a partner and Nicole Friedlander is special counsel at Sullivan & Cromwell LLP. Mr Aquila can be contacted on +1 (212) 558 4048 or by email: firstname.lastname@example.org. Ms Friedlander can be contacted on +1 (212) 558 4332 or by email: email@example.com.
© Financier Worldwide
Francis J Aquila and Nicole Friedlander
Sullivan & Cromwell LLP