In-house counsel, and outside counsel who work with them, technically represent the company. They are fiduciaries to the corporate entity, which has as its highest authority the board of directors. Accordingly, an important part of the general counsel’s role is to provide sound legal compliance and legal risk-mitigation advice to the board.
While it is a new risk, cybersecurity falls squarely within the traditional “risk oversight” obligations of corporate directors. Directors have fiduciary duties to act in good faith and with care and loyalty, which, in the cyber context, includes directing management to design, implement, and enforce a robust cybersecurity compliance program. To effectively do so, directors must be educated and informed about the company’s risk profile, threat actors, and strategies to address that risk; they must receive regular briefings from management and metrics to understand progress toward the desired state.
Indeed, the Securities and Exchange Commission recently emphasized the criticality of the board’s cyber activities to the marketplace.1 In its 2018 cyber guidance, the SEC stated that disclosure in annual reports or proxy statements of the board’s role in risk oversight of a company pursuant to Item 407(h) of Regulation S-K should include a discussion of the nature of the board’s role in overseeing the management of cybersecurity risks that are material to a company’s business. In addition, the SEC observed that disclosures on how the board engages with management on cybersecurity issues will allow investors to assess how a board of directors is discharging its risk oversight responsibility in cybersecurity matters.
The foregoing is not surprising given the potential severity that breaches can have on a company’s performance and value, including its brand and reputational assets. That has spurred shareholder derivative suits against directors and officers in the aftermath of major data breaches. In these suits, plaintiffs allege that the directors and officers failed to ensure effective cybersecurity programs, recklessly ignored security warnings and various red flags, and, as a result, the company had inadequate controls and procedures to protect personal and financial information against unauthorized access and acquisition.
We offer three insights from the frontlines of governance work that we believe have the dual benefit of not only helping to mitigate risk for the company, but also helping directors and officers to fulfill their cyber fiduciary duties:
- Practice with Your InfoSec Team
While cyber risk is not “new,” its high level of board attention is certainly new. InfoSec teams, often for the very first time, are in the boardroom and are responsible for educating the board on the company’s risk profile, vulnerabilities, current security state, and road map for remediation and sustained risk management. Accordingly, the InfoSec team needs practice and guidance from counsel (e.g., regulatory and litigation perspectives) to be most effective in communicating with the board. Counsel’s early involvement is particularly important when the board will assume a more active role—for example, where InfoSec conducts a board-level incident response tabletop or discusses ransomware attacks and the issue of who in the company decides whether to pay.
- Vertically Integrate InfoSec with the Governance/Disclosures Team
From a governance perspective, many companies do not involve their InfoSec teams in the risk disclosures process and committee. Especially for public companies, lawyers can help to establish a channel for reporting cyber events, and the appropriate board committee (whether the Audit, Risk, or even Cybersecurity Committee) can thereby gain experience around assessing events for disclosure filing purposes.
- Implement Trading Blackout Protocol for Cyber Events
Based on the 2018 SEC cyber guidance, lawyers should assess whether procedures are in place to determine whether implementing a trading blackout period while the company investigates and assesses the significance of a cyber incident is appropriate and should review insider trading policies to ensure they prohibit insiders from trading when in possession of material non-public information relating to cyber risks or incidents.
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
1 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 C.F.R. pts. 229, 249 (2018).