I just co-authored with David Fontaine (Chief Legal Officer of Altegrity, Inc.) a 12,000 word primer on boards of directors and cybersecurity entitled, “Ten Cybersecurity Concerns for Every Board of Directors” This topic is ready for a thoughtful yet uncomplicated approach — which David and I discuss in detail. As we point out in the article:
Cybersecurity has quickly emerged as a key corporate risk area and therefore one that a board of directors should address . . .
Yet unfortunately, the public’s view of cyber-attack victims is less about understanding and sympathy, and more about anger, suspicion and finger-pointing. The world of incident response is an upside-down one: rather than being treated like criminal victims, companies experiencing data breaches are often treated like criminals, becoming defendants in federal and state enforcement actions, class actions and other proceedings. And given in particular the 47 or so separate state privacy regimes, together with a growing range of federal agency jurisdiction, instead of accepting a helping hand, cyber-attack victims are instead accepting service of process of multiple subpoenas.
These harsh realities together with the spate of large scale and headline grabbing cyber-attacks experienced in the past year (and that most experts believe that this is just the beginning of a new era of cybersecurity defense), mean that members of corporate boards will become much more actively involved in ensuring the organizations they oversee are adequately addressing cybersecurity. For corporations, this is the dawning of a new era of data breach and incident response, where trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year.
Formerly looked upon as the problem of the IT director, cybersecurity has quickly evolved into a board issue and responsibility, which the board has a fiduciary duty to understand and oversee. In the aftermath of a corporate cyber-attack, boards and the companies they govern are subjected to immediate public scrutiny and, in many cases, unwarranted criticism. This new cyber-reality has essentially removed the distinction between board member and IT executive.
But cybersecurity engagement for members of the board of directors does not mean that members should obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts. Boards of directors can accomplish oversight of cybersecurity in two ways. First, by using the concerns outlined in this article to become actively involved in ensuring the organizations they oversee are adequately addressing cybersecurity. Second, and most importantly, by approaching the subject in much the same way as an audit committee probes a company’s financial statements and reports: with a vigorous, skeptical, intelligent and methodical inquiry.