Top executives and board members in many companies rarely considered cybersecurity plans and saw little value in them. If anyone in an organization was directly responsible for protecting a company’s computer network, it might have been an IT staffer who reported to a second-tier manager.
Headline-grabbing data breaches steadily are changing that outdated business structure, and rightfully so. Cyberattacks are more common and more advanced than ever, and the consequences of successful attacks can be devastating.
The risks and potential consequences of cybercrime demand that cybersecurity be a priority for top business executives and corporate board members.
“Recent events demonstrate that robust cybersecurity is critical and that directors and officers should take an active role in ensuring that the corporation they serve is well protected,” according to the International Risk Management Institute.
Corporate liability for cybersecurity is a developing area of law, but it’s an issue that business executives and board members absolutely need to address on a sufficient and ongoing basis, according to Erin Fitzgerald, an associate attorney with the Communications, Technology & Media team at Womble Bond Dickinson in Washington, D.C.
“Company boards have a duty of care. They have a duty to the company that they serve. And they can be found to have breached that duty of care if that don’t take sufficient action,” Fitzgerald said during a recent phone interview.
Womble Bond Dickinson’s Communications, Technology & Media team is an interdisciplinary group of attorneys with extensive experience in areas such as telecommunications, broadband, cable, and all facets of the internet and technologies that drive our connected economy. They represent rural telecommunications companies around the nation, including some in the Sioux Falls region.
The Communication, Technology & Media team focuses on cybersecurity and corporate liability issues. They advise companies that cybersecurity planning is not an issue they’ll be able to cross off their to-do lists after a month or even a year of work.
“Cyersecurity is constantly evolving, constantly changing. It’s really something they need to take into their long-term strategic planning in terms of the dedication of resources,” said Fitzgerald, who is native of North Dakota.
There’s no way out of the responsibility other than to work through it.
“You have to start, and once you start you probably won’t stop. That’s how it’s got to be,” she said.
In presentations to groups, Fitzgerald outlines legal responsibilities and liability considerations related to cybersecurity for members of corporate boards. It includes a helpful list of best practices.
Here, in slightly edited form, are her suggestions:
- Ensure that the company has a cybersecurity compliance plan that includes an incident response and recovery process.
- Ensure that an annual audit, or cyber health check, is conducted.
- Understand the cyber risks associated with third-party service providers that connect with the company’s network.
- Require managers to report to the Board of Directors all major data breach attempts made against the company, not just the actual incidents, and provide a safe environment for reporting attempts and incidents.
- Make sure that managers can communicate the organization’s structure as it relates to risk management as well as provide staffing and budget details.
- Ensure that a chief information security officer (CISO) is reporting at an appropriately high organization level.
- Meet annually with the chief risk officer or chief financial officer or equivalent officer to review risks that have been avoided or accepted.
- Verify that cyber insurance coverage is sufficient to address potential risks.
Fitzgerald stresses the importance for company management to create a business environment in which employees feel comfortable about reporting potential problems without worrying about disciplinary repercussions.
Potential problems, such as a possibly successful scam that tricks an employee out of sensitive information, are more likely to be minimized if they can be dealt with quickly. Issues that go unreported or undetected for long periods can cause serious damage.
Fitzgerald advises company leaders to address cyber threats with good planning to avoid legal complications before, during and after data breaches.
“Start now and keep working on it forever,” she said.