Cybersecurity remains a key focus for boards of public companies. Ransomware attacks, the theft of personally identifiable information and “zero-day” vulnerability exploits continue to fill the headlines, and directors of public companies in all industries should take it as a reminder of their important oversight role in the management of risk and the need to assess both management’s ability to properly manage cybersecurity matters and their own capabilities to serve in a meaningful oversight role. The daily media reports are contrasted by a number of past surveys of directors of public and private companies that show staggeringly low responses on questions as to whether the board is getting regular briefings on cybersecurity matters, whether the board has adequate expertise to address cybersecurity and whether directors believe cybersecurity is even a board-level issue. Although it may appear that boards have been slow to focus on cybersecurity, that seems to be changing, and actions of institutional investors and governmental authorities are moving boards along.
Cybersecurity matters have increasingly been the focus of institutional investors. Although institutional investors are focused on those companies with the greatest vulnerability to cybersecurity attacks, they are increasingly concerned with the impact of business interruptions, compromised personal data, stolen intellectual property and the litigation, reputational damage and the loss of management focus that can result from a cybersecurity incident affecting all of their investments. As part of their engagement with public companies, institutional investors are increasingly focusing their board governance questions on risk management generally and cybersecurity in particular. Institutional investors want to know that companies have considered their cybersecurity risk profile and will probe companies on the cybersecurity and data security risks they are facing, who could target them and how their security programs and their boards’ oversight have developed around these threats. Institutional investors also want to know that there is expertise both in management and on the board that can execute and oversee, respectively, a comprehensive cybersecurity readiness plan.
Cybersecurity is also an increasingly important issue for governments at all levels. In 2017, the President issued a wide-ranging executive order on cybersecurity, focused on preparedness of federal agencies and critical infrastructure. Congress, through several committees in both the House of Representatives and the Senate, has also been focused on cybersecurity. Over the last year, there have been a number of public hearings where multiple House and Senate committees have called on executive officers of public companies to account for major cybersecurity breaches and compromised consumer personal data. Additionally, members of Congress have proposed a number of pieces of legislation designed to address the cybersecurity preparedness and responsiveness of public companies and impose requirements designed to address the public safety and privacy issues. One such measure would require public companies to appoint a cybersecurity expert to the board or explain to shareholders why one was not necessary. State governments are also focused on cybersecurity matters, with New York imposing new cybersecurity requirements for financial services and insurance companies, adding to the patchwork of industry standards, best practice frameworks and mandatory requirements.
This focus has not been limited to cybersecurity incident preparedness and responsiveness. The increasing collection and use of personal data has led to a growing call for legislative controls and protections focused on personal privacy. Congress has introduced legislation addressing a range of issues from mandating notification to consumers of data breaches, to requiring comprehensive privacy and data protection programs and new liability regimes. Each state has put in place some form of data breach notification legislation. Outside of the United States, the most prominent example is the General Data Protection Regulation (GDPR), which came into effect in the European Union in 2018. The GDPR imposes stringent and complex requirements on any business operating in the European Union related to processing of personally identifiable information. These new requirements have imposed and will continue to impose costs, both in terms of implementation and changes to business models, as well as steep fines for inadequate compliance.
Just as many of the largest public companies were preparing their annual reports and right before the 2018 proxy season was in high gear, the SEC, in February 2018, released new interpretive guidance on public company disclosures related to cybersecurity risks and incidents. This guidance also outlined the SEC’s views regarding the importance of appropriate disclosure controls and procedures, insider trading policies and selective disclosure safeguards in the context of cybersecurity incidents.
WHAT SHOULD BOARDS (AND THOSE THAT ADVISE THEM) DO NOW?
It is clear that boards need to ensure they have the proper focus and support to properly oversee cybersecurity and data security risks. Even companies that do not have exposure to volumes of customer data are vulnerable to attack. Hackers can target a company to gain access to material unreported financial information to be used for insider trading purposes. Cyberattacks can be used for corporate espionage to steal critical business processes, intellectual property or trade secrets. And individuals may design cyberattacks to freeze a company’s networks for a ransom or even just to show it can be done.
The failure to maintain the proper oversight over cybersecurity matters can lead to significant exposure to the company and, if found that the board failed in its oversight function, its directors. In addition, the remediation costs and business interruption and management distraction, coupled with reputational harm, can be incredibly damaging. We have seen recent examples of business combinations being impacted by cybersecurity breaches, and earlier this year the SEC brought the first ever case against a company for failure to properly disclose and oversee a cybersecurity incident.
Although every company has a different cybersecurity risk profile, which demands a level of focus and attention that is appropriate to its profile and the materiality of cybersecurity risks to its business, the following are things that all boards should consider now:
ARE BOARD MEMBERS BECOMING MORE CYBER-FOCUSED?
The timing of the SEC announcement – in the thick of the proxy season and followed by months of media reports of executives and public company boards being called to answer for a series of high-profile breaches – may have resulted in a reconsideration of proxy disclosures related to board governance over the last year. Here is how disclosures about board oversight over cybersecurity matters for the Top 100 Companies changed this year: