Cyber risk: The risks to boards of directors and board member obligations


Reposted from it Governance:

Original author: Lewis Morgan

The increase in cyber attacks has forced cybersecurity to climb the agenda in board meetings, making it a top priority in the majority of NYSE-listed organizations.

A recent survey found that cybersecurity is discussed at 80% of all board meetings. In the same survey, however, it was revealed that only 34% of boards are confident about their respective companies’ ability to defend themselves against a cyber attack. To make matters worse, a separate survey found that only 11% of respondents believed their boards possessed a high level of understanding of the risks associated with cybersecurity.

Boards are talking about cybersecurity, but the findings suggest that they’re not quite sure what it is they’re talking about – and that’s a problem.

Luis A. Aguilar, commissioner of the Securities and Exchange Commission (SEC), recently said, “Boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”

Directors face increasing litigation risk in connection with their responsibilities for cybersecurity oversight, particularly in the form of shareholder derivative litigation, where shareholders sue for breaches of directors’ fiduciary duties to the corporation.

In the past five years, shareholder derivative litigation has been initiated against the directors of four organizations that suffered data breaches: Target, Wyndham Worldwide, TJX Companies, and Heartland Payment Systems.
These recent cases have included allegations that directors:

  • failed to implement and monitor an effective cybersecurity program;
  • failed to protect company assets and business by recklessly disregarding cyber attack risks and ignoring red flags;
  • failed to implement and maintain internal controls to protect customers’ or employees’ personal or financial information;
  • failed to take reasonable steps to notify individuals in a timely fashion that the company’s information security system had been breached;
  • caused or allowed the company to disseminate materially false and misleading statements to shareholders (in some instances, in company filings).

Read More