Fiduciary Liability With Cybersecurity Risks
As news of ransomware attacks and data breaches fill the headlines, directors report that cybersecurity risk is one of their greatest concerns. Over the last few years, cyber threats and attacks have grown rapidly. In fact, SonicWall reported in their mid-year update that there were 304.7 million attempted ransomware attacks in the first half of 2021.
According to the 2021 SonicWall Cyber Threat Report, the most commonly attacked industry is the government, and by an overwhelming margin. The main categories most vulnerable to cybercriminals are financial information, consumer data, employee data, business communication, etc.
Globally, there is a greater understanding of the impact of cyberattacks and data breaches on businesses and the entire country. Legislation has been enacted which sets forth fines on businesses and organizations that mishandle data or fail to implement proper security policies. The latest regulations and policies are a chief example of more businesses and organizations being held to greater standards.
For quite some time, there was no clarity on how or if directors could be held responsible for data breaches. Today, directors can be held liable for failing to care for and perform their due diligence as it relates to cybersecurity risks. Directors can also be held responsible for failing to implement the required measures and policies as outlined in data protection legislation. Directors who ignore their responsibilities for cybersecurity will not have any protection under the business judgment rule.
Understanding the Cybersecurity Threat
It is rare to go one day without reading a news article about a data breach, identity theft, or other cybersecurity issues. It is a persistent battle that businesses and organizations have to undertake to stay ahead of cybercriminals who want to steal data and take control of systems.
With the growing reality of cybersecurity risks, there has been a proclivity in governance publications to not treat cybersecurity risks in the same manner as other risks. In reality, however, board members have always been entrusted with protecting their businesses and organizations from significant risks.
While cybersecurity may seem to be an intimidating new risk to board members, there has been a long-established board governance approach to cybersecurity risks. The board’s role and responsibilities are generally made up of the following categories:
- Corporate Culture
- Risk Management
- Talent Management
In reference to cybersecurity, the duties of the board play a critical role in the oversight of a business or organization’s cybersecurity strategy. Every director should have a clear understanding of cybersecurity risks and what the risks mean in reference to the board’s responsibilities. While the business-judgment obligations of the board are the same for this ever-growing risk, cybersecurity remains a complex topic of discussion.
It is important for boards of directors to carry out their cybersecurity responsibilities, including strategic development and governance. Effective oversight in this area can be the difference to a business or organization finding out the hard way by suffering irreparable damage or diminishing the damage that frequently accompanies a data breach.
What is the Role of the Board?
A record number of data breaches in 2021 exemplifies that cybersecurity risk is as crucial as other risks under a board’s scope. Just as boards are responsible for supervising a business or organization’s financial controls and systems, boards also have a duty to supervise how a business or organization manages cybersecurity, including overseeing risk mitigation strategies and controls.
Without the proper oversight and accountability, a business or organization’s cybersecurity strategies, policies, and controls will have no meaning. As a result, a business or organization will be left extremely vulnerable to cybersecurity threats and attacks. With the ever-growing threat of ransomware attacks, data breaches, and other cybersecurity risks, boards can no longer claim they are not aware of the risks in the hope of using that excuse as a defense against claims of cybersecurity oversight failures.
Regulators want board members to show more evidence that they are attentive to today’s cybersecurity risks. It is not uncommon for directors to be removed from their respective boards after a significant breach. Even in cases when directors return to the board, there will always be the chance that lawsuits will be filed and penalties will be handed down.
What’s in Your Cybersecurity Strategy?
In many cases, boards are given cybersecurity reports from IT that are highly technical but do not include a strategic overlay that members of the board understand. To obtain a clear understanding and garner effective oversight, cybersecurity strategies and reports should be clear and concise. Strategies and reports from IT should be comprehensible in nontechnical terms.
There should also be systems and controls in place to monitor the implementation of cybersecurity strategies and controls. This will require regular conversations between the board and management. There also needs to be effective communication and collaboration when it comes to the sharing of accurate and beneficial information, including performance tracking metrics. There should be less jargon and more plain English terms in the reports, and any strategic plan should be agreed upon by senior management and the board.
While a strong perimeter defense can be an effective deterrence to some attacks that are not as advanced and sophisticated, more effective cybersecurity strategies should direct more resources around a business or organization’s processes and controls, with more layers of protection around an organization’s most sensitive and valuable assets. With the advancements in technology and the addition of new technologies and techniques, businesses and organizations may have to make adjustments to their future strategies and processes. Boards should seek guidance on strategic cybersecurity best practices.
Creating a cybersecurity strategy will begin with identifying and prioritizing cybersecurity risks. A business or organization’s cybersecurity strategy should take into consideration the type of harm that could occur when risks become reality. Directors are liable for breaches of their fiduciary duties and must perform their duties with responsibility and due diligence. While carrying out these duties, directors must ensure a strong and effective cybersecurity policy. This includes notifying the public of data breaches, efficient data management, and staff education and training.
Directors should be aware of their fiduciary responsibilities when addressing cybersecurity risks. Directors can avoid a potential fiduciary breach by implementing effective cybersecurity safeguards and partnering with an IT consulting provider that works with organizations that take fiduciary responsibility seriously. If you have questions or concerns related to your fiduciary responsibility, contact WPG Consulting to schedule a consultation.