With breaches of nearly 150 million Americans’ personal information flooding the news the last few weeks, followed by the filing of more than 50 class action lawsuits to date, and the announcement of an FTC investigation, cybersecurity is squarely on the minds of and on the table in boardrooms across the country. On September 14, 2017, Reed Smith was pleased to host Dawn-Marie Hutchinson, Executive Director with Optiv’s Office of the Chief Information Security Officer, to talk about the latest trends in information security and to support boards in this important emerging area. Coming out of the webinar, one of the most important questions that came up was not so much “What should boards do?” but what are boards actually doing, and how boards and executives can benchmark.
Importantly, this is an issue that has been closely monitored by and extensively analyzed by the National Association of Corporate Directors (“NACD”). Not only has the group surveyed directors, but it has also written a handbook with extensive guidance for officers and directors. The guidance comes at a very critical time as the market has been flooded with white papers and other guidance for information security pros and CIOs on how to talk to boards about cybersecurity risk. At the same time, boards are asking among themselves and their advisers, what they should do or be doing. The NACD identified five things it believes boards should be doing. These activities include:
- Consider the Whole Enterprise. Cybersecurity is more than just an IT issue, and it should be approached holistically, including with respect to people, process and technology.
- Know the Law. Boards should be familiar with their own legal obligations and duties, AND those of the organization and business they are tasked with overseeing.
- Access Expertise. Both the quantity and the quality of the board’s discussions relating to cybersecurity matter. In addition to appropriate time and discussion at meetings, the board, as with other areas, can and should have access to experts to help inform their decision-making and oversight.
- Set Expectations. Many surveys suggest that while executive teams say cybersecurity is important, senior managers, a few levels down in the organization, may hear different messages. Board leadership and interest can help align and create the right tone and accountability.
- Manage Risks. Ultimately, the board can help ensure that risks are managed with intentionality. The board is in a unique position to identify, avoid, mitigate, transfer or accept risks, and to provide advice on the right mix of each of these strategies, including identifying and guiding the organization’s tolerance for risk.
So, what are boards actually doing and how are they approaching these issues? While “Big Picture” risks are considered at the full board level in 96 percent of NACD’s responding boards, only 46 percent of those responding identified cyber risk as an issue that is discussed among the full board. Rather, 51 percent of boards focus on cybersecurity risks at the Audit Committee level. Increasingly, boards have come under some scrutiny for and are looking to strengthen both technology and risk expertise. At the same time, the NACD’s guidance makes no specific recommendation that boards have cybersecurity expertise, and rather suggests that the board itself is best equipped to use its business judgment to determine the competencies its members require.
Knowing the law is increasingly important. Consumer class actions and cybersecurity-related shareholder derivative suits alleging that directors have breached their fiduciary duties are growing rapidly, and Bloomberg has reported that the trend increasingly resembles the stock-drop strike suit environment that led to Congress passing the Private Securities Litigation Reform Act. The Chamber of Commerce reports that four law firms are responsible for virtually all of the privacy and cybersecurity-related lawsuits. Most of these cases tend to be dismissed because of the difficulty in showing that the board failed to meet the required standard of care, as boards will frequently be protected by what is known as the “business judgment rule.” The dismissal of a suit brought against Home Depot represents a good example of the type of suits and challenges facing shareholders bringing claims alleging the board failed in its’ duties.
In order to protect itself and get the benefit of the business judgment rule, boards are accessing expertise, setting expectations, and proactively managing risks—the remaining suggestions of the NACD. According to the NACD, 77 percent of boards have reviewed their company’s current approach to protecting its most critical data assets. 31 percent have received education on the issues. 59 percent have reviewed the company’s incident response plan. These and other activities can be very helpful, not only in obtaining dismissal of lawsuits alleging the board failed in its duties, but also in avoiding such lawsuits altogether. Strikingly, only 31 percent of boards have leveraged external advisers to help them understand the risk environment. This is interesting because reliance solely on internal resources and risk may limit board visibility into broader trends, governance considerations and obscure real risks. For example, a number of investors with expertise in cybersecurity have been critical of organizations where, assuming there is a chief information security officer (or equivalent), that person reports to the CIO. In the words of one CISO,
“the job of the CISO is to tell the CIO their baby is ugly and no one wants to hear their baby is ugly.”
In addition to challenges of speaking truth to power, aligning departmental motivations with broader risk management considerations can be difficult without an enterprise-wide approach to the issues. Technology budgets may be large, but obtaining resources for people and processes may be difficult. This is especially true where negative unemployment persists for security experts. All of this combines to create opportunities for perfect storms.
In thinking through these issues, learning which questions to ask, asking them, and then ensuring that actions and accountability flow from the answers, will continue to be critically important for boards. The NACD expects that in the relatively near future, 100 percent of boards will have to address cybersecurity issues. The NACD’s handbook for boards includes helpful guidance and supporting information. It includes recent analysis and guidance relating to evaluating and supporting mergers and acquisitions – an increasingly important risk area for many companies.
In thinking about cybersecurity risk management and intentionality, Gerry Stegmaier, partner in Reed Smith’s IP, Tech & Data Group, who formerly defended SEC and securities class actions cases, summed up an approach when he said,
You can’t stop security incidents. But, you can manage risk intentionally. Just like zebras crossing crocodile-infested waters, organizations can understand that they don’t need to go first, go last, and shouldn’t be small, but, just like zebras, they must cross.