Board Oversight – It Is Your Fiduciary Duty
As with the oversight of other major corporate risks, such as financial risk, the Board must be informed on the company’s cyber risk and proactively oversee the company’s management of cyber risk.
Recommended Board Actions:
- Review reports from senior management regarding cybersecurity risks, cyberattacks, and cyber risk management plans.
- Evaluate whether the company is properly managing cyber risk, including whether adequate resources are devoted to cybersecurity.
Directors are not expected to be security experts and can rely upon management’s reports and the advice of outside experts. The business judgment rule informed by applicable best practices remains the standard for evaluating decisions taken by a Board in this area.
The record should reflect that the Board has specifically addressed cybersecurity. With the number of cyber incidents on the rise, as well as an increased legislative and regulatory focus (click here for more information on SEC disclosure guidance), Boards must focus on cyber risk. Indeed, many Boards have gotten the message: in a 2012 Law and Boardroom Study, data security was ranked by corporate Board members as their number one issue of concern (http://www.fticonsulting.com/global2/media/collateral/united-states/legal-risks-on-the-radar.pdf). Does cybersecurity receive the proper attention on your Board?
Please see the following list of questions to help you properly oversee your company’s cyber risk:
Considerations for Board Structure and Make-Up:
- Is there a Board committee assigned to address cybersecurity? Do we need a separate risk committee?
- Does someone serving on the Board have expertise in cybersecurity and information technology?
Questions to Help Evaluate the Company’s Cybersecurity Risks and Risk Management
- What are the company’s cybersecurity risks and what cyberattacks have occurred?
- How is the company managing cyber risk?
- Does the company have a chief security officer who reports to a senior executive outside the information technology division?
- How is the organization using counsel and outside consultants?
- Do the company’s outsourced providers and contractors have cyber controls and policies in place? Do they align with the company’s expectations?
- What is the cybersecurity budget? Is it adequate?
- How will management respond to a cyberattack? What are circumstances when law enforcement will be notified?
- What constitutes a material cybersecurity breach? How will those events be disclosed to investors?
- Does the company have cyber insurance? If a cyber insurance policy is in place, is it adequate?
- Is there an annual company-wide awareness campaign established around cybersecurity?
For more information, checklists, and resources for Boards, see the following:
For Audit Committee resources, see the following: