Magazine article Risk Management

Key Cyberrisk Management Questions for Directors and Officers: Courts Have Historically Made It Difficult to Hold Directors and Officers Personally Liable for Breaches of Fiduciary Duties. but as Cyberrisk Management Liability Standards Evolve, Directors and Officers Increasingly Face the Risk of Personal Exposure

Magazine article Risk Management

Key Cyberrisk Management Questions for Directors and Officers: Courts Have Historically Made It Difficult to Hold Directors and Officers Personally Liable for Breaches of Fiduciary Duties. but as Cyberrisk Management Liability Standards Evolve, Directors and Officers Increasingly Face the Risk of Personal Exposure

Article excerpt

In September 2015, following Home Depot's high-profile data breach that exposed more than 50 million credit and debit card numbers, shareholders sued 12 company directors and officers alleging they breached "their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties tailing to ensure that Home Depot took reasonable measures to protect its customers' personal and financial information." On April 28, 2017, the parties filed a proposed settlement to resolve the matter, which, if approved, would require Home Depot to change its governance structure, reorganize risk management entities, and pay the shareholders' attorneys more than $1 million, among other costly and time-consuming changes.

Most recently, the Wanna Cry ransomware incident reminded us of increasingly common and harrowing threats, particularly for those at the helm of an organization who might not be aware of its vulnerability to these attacks. Recovering documents can be costly, and even if the ransom payment is small, most ransomware incidents result in hours, or even days, of downtime. Even worse, the criminals remain in possession of companies' proprietary data and could sell or release it publicly even after the targeted company believes it has resolved the situation.

Boards face mounting pressure to consider what a worst-case cyber event would look like and how that event would be handled. What corporate governance structures would kick in? Should law enforcement be involved? What will be the legal fallout--whether it is consumer privacy litigation, shareholder suits or criminal investigations? To fully grasp the magnitude of such risk, risk managers and boards must address specific questions and implement effective policies that protect their customers, their organizations and themselves. Proper planning and response are especially critical as failures are increasingly likely to lead to significant consequences.

1. What Are the Fiduciary Duties of Directors and Officers Regarding Cybersecurity?

As most officers and directors understand, it is presumed that they are acting on an informed basis, in good faith, and in the company's best interests. With respect to cybersecurity issues, courts and corporate regulators are using stringent standards to analyze how boards are identifying, assessing and addressing cyberrisks. Proper board preparedness and risk management are critical to insulating officers and directors from liability.

Reviewing court decisions and regulations, clear standards and best practices for corporations become apparent. Boards must hold frequent meetings--at least quarterly--to analyze cyberrisks and potential plans of actions. They should create or appoint a committee to review cyber issues and/or investigate data incidents and breaches. Boards should also seek third-party guidance with respect to assessing and implementing security enhancements, and must understand what cyberrisks can affect the enterprise and have a clear plan to address these risks. Boards must work with risk management to implement a monitoring, compliance and risk management program, oversee and test the program, and investigate possible violations.

That said, liability is determined not only by how potential problems are anticipated and addressed, but how governing entities respond when actual issues arise. Once data breaches and cyberattacks are discovered, boards and management have a duty to investigate. While such investigations can be internal, they are best handled by independent, outside legal counsel for two reasons: 1) to cement attorney-client privilege, protecting critical and confidential information and analysis from discovery; and 2.) to establish good-faith efforts to discharge their fiduciary duties.

2. How Can Officers and Directors Properly Discharge Their Cybersecurity Fiduciary Duties?

Strong, established risk management programs must have the right technology in place to identify where risks can have the most impact on the business and brand. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.