Board Members Fiduciary Responsibilities With Cybersecurity

Cybersecurity is increasingly becoming an evolving threat to all sizes of organizations and businesses. According to a report from Risk-based Security research, data breaches led to a whopping 36 billion records being exposed during the first three quarters of 2020. These breaches are quite expensive for companies involved, with actual costs ranging from revenue loss, financial penalties, lawsuits, loss of reputation to eroded shareholder value.

In the past, when the board of directors’ cybersecurity duties was not clear, they were generally presumed to be free of any liability for cybersecurity incidents and breaches. Today, the changing laws and legal conclusions indicate the board members have a huge fiduciary responsibility towards cybersecurity. This blog looks into the company directors’ fiduciary duties towards cybersecurity and how to manage them.

Cases in point:

Current court trends suggest directors are more likely to face personal liability for breaches that happen in the future. Here are a few examples to ponder:

• In June 2020, a judge in Georgia declined to dismiss a claim against a director of Equifax, Inc., who had information regarding the organization’s vulnerabilities yet misrepresented the strength of the organization’s technological environment.
• In 2020, a judge in California approved a settlement against directors and officers of Yahoo! Inc. relating to a data breach.

What Are the Board Members’ Responsibilities Regarding Cybersecurity?

The sheer sophistication, frequency, and magnitude of cybersecurity breaches and the unprecedented damages to corporations serve to clarify the board member’s cybersecurity duties. When you fail as a director to institute or monitor cybersecurity measures in your organization or when you ignore red flags that you have a known duty to address, shareholders can bring a claim to hold you personally liable for data loss. Some of the critical cyber security roles and responsibilities of the board of directors include:

• Cybersecurity risks oversight: In the past, the oversight of a company’s cybersecurity was left wholly to the relevant IT department. Currently, organizations need to approach cyber security as a central organizational topic. This implies that company directors must be actively involved in everyday decisions regarding the management of cyber security risks and implementing strategies to mitigate the risks.
• Resources allocation for cyber security: As part of their mandates, the board has a responsibility to allocate adequate resources for cyber security. Lack of advanced technologies and expertise can complicate efforts to secure the organization’s IT environment. Providing the ideal digital tools to the IT security department and employees working remotely and in-office is crucial.
• Promote tech experts to the board: Currently, many organizations prefer outsourcing their IT to tech firms. Although this is an ideal strategy to reduce costs and fill the missing skill gap, the board can benefit from having a few in-house experts with an excellent understanding of cybersecurity sitting at a top executive position. Promoting tech professionals to the board can help guide the company towards a healthier cyber security environment.
• Identify the risks unique to the organization: Cyber risks differ from one organization to another. The board of directors has a duty to identify the unique risks facing the company and develop strategies to mitigate these specific risks. Auditing internal and external processes, organizational structures, and systems can effectively identify unique vulnerabilities facing an organization. The board can engage a trusted IT partner to help in this area.
• Develop and implement a risk mitigation plan: The board has a duty to identify the systems and data crucial to the company’s operations. With this in mind, the directors should develop a risk mitigation plan to safeguard the essential systems and data from risks of cybercrime. The ideal plan should be current and must provide contingencies for incidents and unexpected events. The board should also develop guidelines regarding privileged access. Allowing every other employee privileged access will likely increase the risks of cyber-attacks substantially.

Board Members Best Practices to Minimize Liability

Now that it has become more evident that the oversight of cyber risk is an integral part of a board member’s duty and fiduciary responsibility, the board should take practical steps to secure their organization. Here are a few practices to minimize personal liability for a data breach:

• Understand the law: The directors should understand the laws and regulations relating to data security and privacy applicable to their organization. Strive to know the regulatory bodies with authority over your organization and their compliance regulations, laws, and guidance regarding cybersecurity.
• Conduct regular cyber assessments: Conducting regular cyber security assessments can be an effective way to understand your vulnerabilities for robust mitigation measures. Be in the know regarding the type of data your organization collects or maintains and how that data flows within your organization.
• Implement effective controls and procedures: If you are a public company, ensure you put in place robust controls and procedures to mitigate cyber security risks and incidents in all the mandatory public filings and disclosures.
• Establish data security policies: Make sure your organization has put in place data privacy and security policies tailored to meet your risk profile. These policies should be regularly updated, adequately implemented, and enforced.
• Regular training of employees: You should also ensure your employees receive frequent security and privacy training on the latest trends in the cyber security world.
• Implement reporting systems: Another good practice is implementing robust cybersecurity reporting, controls, and monitoring systems. These systems enable your IT teams to be abreast regarding potential red flags, risks, and threats, so they react proactively.
• Identify roles: Identify the members of the board with cybersecurity responsibilities. These members should receive adequate training on cyber security to guide the board’s discussions regarding IT security.
• Audit vendors: You should also oversee the selection and monitoring of all vendors and service providers your organization engages. This guarantees contracts with vendors contain mandatory security and privacy obligations to protect your IT infrastructure from unnecessary risks.
• Get the right insurance: Familiarize yourself with the appropriate insurance policies covering cyber risks and data breach response. Consider getting a policy that covers all levels of losses, including first and third-party data losses.

Final Thoughts

Today’s organizational structure makes the board members liable for breaches of a company’s security systems, implying directors are more likely to face liability if customers and employees are exposed to the risk of cybercrime. Because cyber security is an ongoing concern for the entire company, board members should be accountable for possible failures and breaches. A board that is not committed to cyber security cannot effectively implement proposed cyber security plans and strategies. If you need help securing your IT environment to minimize the risks of data breaches and reduce your cyber security fiduciary responsibility, contact BC Networks. We provide unmatched IT services and IT support for small and large corporations throughout the San Francisco Bay Area. Contact us today to learn more.