Directors Can Be Held Liable If Boards Are Not "Cyber-Prepared"
As reported in the WSJ's Morning Risk Report: Cybersecurity Responsibility Falling to Boards, U.S. regulators are expecting corporate boards to take responsibility for cybersecurity.
Per the article, it is reported that regulators are saying directors and officers who fail to do so could be held individually liable for any lapses that occur. Accordingly, boards must assemble the proper teams and prepare plans to prevent and respond to any cyber breaches. In fact, a speech from Securities and Exchange Commission Commissioner Luis Aguilar in June 2014 made this point crystal clear:
When considering the board’s role in addressing cybersecurity issues, it is useful to keep in mind the broad duties that the board owes to the corporation and, more specifically, the board’s role in corporate governance and overseeing risk management. It has long been the accepted model, both here and around the world, that corporations are managed under the direction of their boards of directors.
Good boards also recognize the need to adapt to new circumstances — such as the increasing risks of cyber-attacks. To that end, board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues. Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.
Commissioner Aguilar also noted that the the recently created National Institute of Standards and Technology framework creates a type of template that corporations, director's and officers can adapt to their organizational needs:
The NIST Cybersecurity Framework is intended to provide companies with a set of industry standards and best practices for managing their cybersecurity risks. In essence, the Framework encourages companies to be proactive and to think about these difficult issues in advance of the occurrence of a possibly devastating cyber-event. While the Framework is voluntary guidance for any company, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes. At a minimum, boards should work with management to assess their corporate policies to ensure how they match-up to the Framework’s guidelines – and whether more may be needed.
Among other things, the NIST framework advises companies and boards to:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
Board preparedness and planning can be critical to insulating directors from liability. In a recent decision, Palkon v. Holmes, No. 14-CV-01234 (D.N.J.), a federal district court dismissed a shareholder class action against directors, the president/CEO, and general counsel of Wyndham alleging breaches of the fiduciary duties of care and loyalty and the wasting of company assets following 3 data breaches between April 2008 and January 2010 resulting in the theft of over 600,000 customers’ credit card information. Critical to the Court's decision making was the Business Judgment Rule, which the Court found protected the Board from liability as it:
- Held 14 quarterly meetings in which it discussed the cyber attacks, company security policies, and proposed security enhancements
- Appointed the audit committee to investigate the breaches, and that committee met at least 16 times to review cybersecurity
- Hired a technology firm to recommend security enhancements, which the company had begun to implement
- Had cybersecurity measures in place that had been discussed numerous times by the board prior to the security breach
Based upon existing regulatory guidance, expert analysis, and case law, in order to protect themselves from risk and legal liability, Boards should be asking and answering the following critical questions:
- What is the board’s familiarity with cybersecurity?
- Have the company's data "crown jewels" been identified and are they properly protected?
- Can the board articulate its cyber risks and explain its approach and response to such risk?
- Has the board assigned clear roles and responsibilities for identifying, evaluating, monitoring, and responding to cybersecurity incidents?
- What are the company's crisis communications plans in the event of a cyber attack?
- Is the company properly managing third-party vendors who have access to their IT environment?
- Does the company's insurance cover a cyber event?
If these questions cannot be adequately answered, boards and their directors should seek out legal and regulatory expertise to address these critical gaps. As the Palkon case shows, proper "cyber-preparedness" is the only way to limit board liability and truly minimize cyber risk.