Cybersecurity is a Corporate Fiduciary Responsibility
The risks associated with cybersecurity and data privacy protection are well recognized in today’s world. Several high-profile cyber breaches have emerged recently, affecting millions of customers and employees and resulting in unprecedented losses for businesses through direct costs in responding to the breaches, business disruption, regulatory penalties, reputational damage, loss of shareholder value, and lawsuits brought by customers and business partners.
Yet, despite the extent of cyber risk in organizations of all sizes, some degree of confusion exists regarding the corporate fiduciary duties that company directors and executives have regarding cybersecurity. Many companies struggle with addressing it as a top-line risk and ensuring their directors and executives fulfill any relevant fiduciary duties under the law.
Cybersecurity is a Fiduciary Duty
Shareholders rely on the Board of Directors to protect a company’s assets. Directors owe fiduciary duties to their shareholders and have a significant role in overseeing the company’s risk management.
Though fiduciary duties vary by state, under Delaware law – the operative law for many US companies – directors have fiduciary duties of care and loyalty to the company. They need to exercise reasonable care in all decision-making without placing unnecessary risks on the organization. In the cybersecurity and privacy context, duty of care requires that corporate management keep themselves informed of corporate audit and risk committee findings.
When it comes to duty of loyalty, executives and directors have a corporate fiduciary duty to their stakeholders to act in the company’s best interests and protect stockholder investments. Cybersecurity and privacy risks can expose a company to regulatory and contractual losses, which may result in adverse impacts on the company’s financial health. When the directors fail to oversee cybersecurity, it breaches this fundamental fiduciary duty.
Consequences of Cyber Risk
The company’s Board of Directors has primary oversight responsibility and corporate fiduciary duty regarding cybersecurity and data privacy. This oversight includes responsibility for ensuring that their enterprise risk management program assesses, monitors, and reports on cybersecurity and privacy risks, including their potential impacts on the company’s bottom line. When directors fail to institute or monitor cybersecurity measures or consciously disregard red flags that they have a fiduciary duty to address, shareholders may bring claims to hold directors personally liable.
While directors may invoke the business judgment rule to excuse poor business decisions, this rule will fail to justify choices if available information was not incorporated into appropriate business decisions. Failing to make use of this information is generally perceived as negligence of corporate fiduciary duty. In the 2015 ruling in the Tibble v. Edison International, the United States Supreme Court held that “because a fiduciary normally has a continuing duty to monitor investments and remove imprudent ones, a plaintiff may allege that a fiduciary breached a duty of prudence by failing to monitor investments properly and remove imprudent ones.”
The Harvard Law School Forum on Corporate Governance article, Risk Management and the Board of Directors, further highlights this – noting that board processes and decision-making may still be questioned where there are specific allegations that directors ignored “red flags.”
Cybersecurity Risk Management
The best way to protect yourself and the company is by elevating cybersecurity to an enterprise-level risk management issue that must be evaluated, documented, and addressed/mitigated, according to the company’s risk profile and economic realities. When cybersecurity and data privacy risks remain down in the IT trenches, risk treatment options are rarely part of Board discussions. In fact, Board members may not even be aware that critical business processes are at risk, leaving them blindsided and the company vulnerable to litigation and fines.
The good news is that there are several practical steps executives and directors can take to minimize cybersecurity risks to their organizations and protect themselves from personal liability.
- Understand the laws and regulations relating to data security and privacy that apply to your organization by consulting with the appropriate experts. Be aware of which regulatory bodies have authority over the organization.
- Understand the impact of cyber risk: Boards must ensure that they understand the implications of cyber risk and have plans in place to deal with it. Undertake a thorough analysis of the company’s most valuable assets and determine the risk that each might present in the event of a cyber breach or loss. Determine which risks to prioritize, avoid and mitigate. It’s also vital to factor in the risk associated with partnering with third parties, as they may have their own vulnerabilities. Consider cyber insurance to mitigate risk – ask about their policy limits and exclusions and whether they cover both first and third-party data losses.
- Incorporate cybersecurity expertise into board governance: Consider appointing a director with experience in cybersecurity who will have primary responsibility for cyber risk management. Such a person should check that the board understands the company’s critical assets, its current strengths, and weaknesses and that it operates a robust cybersecurity policy addressing each of these factors, among others. Also, seek out third-party advisers and assessors who report to the board regularly to update the group on recent cyber incidents, trends, vulnerabilities, and risk predictions. This helps to ensure effective oversight of management.
- Assess current cybersecurity practices: Ensure that your organization has cybersecurity policies tailored to your risk profile, and those policies are adequately implemented, enforced, and regularly updated. Implement a management response plan to potential cybersecurity breaches. The plan should identify who will be responsible for making decisions when a breach occurs and what actions the company will take in the event of a breach.
- Cybersecurity training: Ensure that the company’s cyber policy provides regular cybersecurity training to employees. It should contain a practical and efficient incident response plan that will help mitigate any damage caused by a cyber-attack. Everyone in the organization needs to participate in the employee cybersecurity training, including directors and executives.
- Consider hiring outside cybersecurity experts to evaluate the company’s level of preparedness for a breach. Many companies lack the internal security expertise to manage through a cyber-security program. You can bring in outside experts to review red flags and adequacy of insurance, conduct stress-testing, implement an effective cybersecurity policy, and craft and test a practical incident response plan. Additionally, having brought in an outside expert can pay off later in the event of a breach. If you can show on record that you’ve had experts assess your IT infrastructure, then you have a paper trail documenting your preparedness efforts.
Enterprises face cyber threats and attacks every day. In fact, it’s not a matter of if a cyber breach will occur, but when and how significant the breach will be. As such, directors and officers must fulfill their fiduciary duties by ensuring the company has an adequate and tested cybersecurity program in place and is prepared to respond to a data breach quickly and adequately. This will not only help protect them from potential personal liability, but it will also protect the organization, its customers, employees, and shareholders.
At 4it Inc., we’re passionate about helping organizations take stock of their cyber risks and manage those risks across the complex landscape of technology, business, and people. We can improve your organization’s cyber risk posture by performing information security risk assessments, working alongside CIOs & CISOs to set and communicate strategic security priorities, and advising board members on effective governance of cyber risks. Contact us today to schedule a consultation with our cybersecurity experts.