“I wasn’t aware of the risks”
“Our IT team handles that”
“We outsource that to a third-party vendor”
These are typical responses from Board members (and even CEOs) when it comes to questions about their cybersecurity. But the tide is shifting, and Boards and C-Level execs are being held responsible to protect the data that is collected, transmitted and stored by their organizations.
Lawsuits are targeting Boards that were accused of being negligent in not addressing the known dangers of cyber threats, or in some cases, misleading the public about the level of cybersecurity in place.
Shareholders filed suit against Target, alleging that the Board breached their fiduciary duties by failing to maintain proper internal controls for data security, and for initially misleading the public about the scope of the breach. Wyndham Worldwide faced a similar action by shareholders after their 3rd data breach in two years, and recently reach a settlement with the FTC by agreeing to a comprehensive security program with annual audits for “unfairly placing consumers at risk”.
If you are a Board members, or advisor to the Board, here are some key things you need to know:
- A high-level understanding of cyber-risks based on the type(s) of information being collected, transmitted and stored.
- Who is responsible for ongoing assessment of risk? Has an outside firm confirmed the risk level and cybersecurity framework?
- What controls, processes and procedures are in place to mitigate the risks?
- Is every employee receiving ongoing cybersecurity awareness training?
- How are third-party vendors assessed to verify that they follow cybersecurity best practices?
- Is there an incident response plan in place, including resources for legal, public relations, and cybersecurity forensics if needed?
- Is the cyber insurance coverage appropriate, and what is included/excluded? Many underwriters are now requiring sign off by the CEO to confirm the accuracy of the protections in place, and some insurers will even credit a portion of the cost of proactive cybersecurity testing.