Cybersecurity has rapidly emerged as a top-of-mind issue for many Boards of Directors in the wake of recent large-scale data security incidents. Boards are engaging with management teams in new ways in order to assess cybersecurity risks and the company's readiness to respond to emerging threats.
These threats have placed additional pressure on Boards in part due to the level of attention and adverse scrutiny directed at other data security incidents. This includes scrutiny from shareholder advisory service firms as well as a number of government agencies, including the FTC, the SEC, and state Attorneys General, who routinely investigate data security incidents. While the "business judgment rule" can be expected in most circumstances to provide protection to the Board in the event of shareholder litigation regarding data security issues, a careful review and assessment of the company's level of preparedness for cybersecurity risks is a helpful step in mitigating risks to the business.