Keeping a company adequately prepared for cyberattacks is the right thing to do. For members of corporate boards, it’s also a legal responsibility.
Corporate boards face a legal duty to establish and oversee programs that help protect their companies from liability claims related to data breaches. That’s not a new responsibility. It’s been a standard in the United States for more than 20 years.
In recent years, an increase in data breaches at major businesses has highlighted some of the legal risks for companies and their leaders.
Some boards whose companies were victimized in cyberattacks probably were lax or sloppy in carrying out their duties. Some might have been vigilant but were victimized anyway because of unknown gaps in technology or unforeseen failures by employees or partners.
Some of the biggest breaches in recent years have occurred at big-name companies, including Yahoo, eBay, Equifax, Target, Anthem, and Home Depot. Small and midsize businesses that have been hacked don’t get as much news attention. A lot of the companies might not even realize their files have been compromised.
All corporate boards must become as diligent dealing with cybersecurity as they have been with financial planning and other traditional responsibilities of business leadership, according to legal experts.
“Boards neglect cybersecurity issues at their peril,” warned an article published online in February 2017 by the Harvard Business Review.
“Boards have to embrace the facts and adjust their thinking: Cybersecurity threats are universal, and board members have to take ownership of these risks. The topic should be discussed regularly in all board rooms, regardless of industry, region, or company size,” wrote J. Yo-Jud Cheng and Boris Groysberg.
Cisco reported in its 2017 Annual Cybersecurity Report that more than a third of organizations breached in 2016 reported losses of more than 20 percent in customers, revenues and business opportunities. Cisco is a California-based company that develops, makes and sells networking hardware, telecommunications equipment and other high-tech products.
“In 2017, cyber is business, and business is cyber – that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well-managed risk,” said John Steward, Cisco’s chief security and trust officer.
The Cisco report released last January, urged businesses to make security a priority.
“Executive leadership must own and evangelize security and fund it as a priority,” the report urged.
The report also suggested that businesses review security practices, keep systems patched and control access to networks.
Businesses also were encouraged to test the effectiveness of their security plans and take an integrated approach to defending against cyber threats. Integrating a security mindset throughout a company can reduce the time needed to detect and stop attacks.
Asking questions is a good starting place for boards that want to make cybersecurity a higher priority, according to the Harvard Business Review article. Board members can hold executive managers accountable for evaluating risks and maintaining response plans, for example.
“They can advocate for investments in data security and infrastructure within their organizations, and encourage executive management to bring in external experts if needed,” the article says. If necessary, board members also can bring on consultants or new board members to assist the board.
Recent lawsuits have challenged the conduct of directors and officers before, during, and after hackers breached companies’ networks and took data protected by privacy laws.
Womble Bond Dickinson’s Communications, Technology & Media team focuses on cybersecurity and corporate liability issues. They represent rural telecommunications companies around the nation, including some in the Sioux Falls region.
In presentations to groups, representatives have outlined legal responsibilities and liability considerations related to cybersecurity for members of corporate boards to consider. That includes:
“The board must ensure a plan that protects the company’s reputation and good name in the event of a breach.”
“Failure to have this plan in place subjects company to risk and massively increases liability and resulting damages when breach occurs.”
For members of corporate boards, cybersecurity clearly has become more important than ever.