Recent global cyberattacks have rudely reminded corporate America that cybersecurity risk management must be at the top of the board of directors’ corporate governance agenda. Companies have no choice but to prepare proactively, while directors must understand the nature of cybersecurity risk and prioritize its oversight.
Preparation, monitoring, emergency response and disclosure are topics that boards should consider regularly to properly oversee cyber risk management.
Preparation should include a detailed emergency response plan. Ideally, this plan should be updated frequently and periodically tested with cyberattack simulations to ensure that both technology and personnel are adequate to the task. Key employees should understand their precise roles, and management should clearly establish the company’s priorities in responding to an attack. A shared understanding of goals and values will help to guide employees and outside consultants as they make real-time decisions in the midst of developing situations. Pre-incident retention of response resources such as technology experts, lawyers, and public relations consultants are important steps to streamline crisis response.
Increasingly sophisticated cyberattacks are, unfortunately, a fact of life in today’s business environment. The challenge for directors is to oversee management’s efforts to address risk and to do their best to ensure that the company is prepared to weather a cyberattack. Cybersecurity consulting firms can be helpful in developing, updating, and stress-testing corporate response plans. In certain industries, a board may wish to have a director who is knowledgeable about cybersecurity, or to create a separate technology committee whose responsibilities include risk oversight.
“Data security is one of the most important priorities for boardrooms today, as the greatest harm a cyberattack can bring is loss of customer trust and revenues, and lasting damage to the brand. This issue isn’t going away, as hackers are getting more sophisticated every day; no one is immune. That’s why it’s critical for boards to call on outside security consultants immediately and leverage their expertise to ensure the proper strategies are in place. Longer term, it’s the board’s responsibility to help companies take data security out of the realm of technology discussions and make it part of the governance and compliance process. Companies should identify board candidates who can bring this level of expertise directly to the board and its governance for years to come."
Directors should be aware that cyberattacks are increasingly malicious and dangerous as national security issues become ever more entwined with the functioning of American commerce. Boards should ensure that company insurance policies are adequate to cover previously unknown cyber threats, as well as extortion and even physical harm to employees.
State-of-the-art defenses, monitored continuously and updated frequently, possibly with ongoing assistance from outside technological consultants, are essential. Employees at all levels should be trained to follow cybersecurity best practices and protocols in order to recognize threats in the early stages. Prompt recognition and action can forestall large-scale attacks and prevent malicious software from propagating. Having an established relationship with the FBI and other relevant law enforcement resources facilitates immediate reporting and management of an attack.
Boards should receive periodic updates from management and its expert advisors on developments in cybersecurity regulations and on the company’s compliance with applicable cybersecurity standards. Although it is widely recognized that even first-rate preparation will not prevent all attacks in this rapidly evolving field, it may enable a company to minimize harm, mitigate losses, communicate effectively with stakeholders, and recover as quickly as possible from a cyberattack.
In the event of a significant cybersecurity breach, the board should be notified as promptly as possible, and the company’s emergency response plan should be put into effect. Designated personnel will implement the various elements of the cyberattack response plan in conjunction with law enforcement and any outside consultants. The board should continue to be apprised of significant developments on a regular basis as the company manages the situation and evaluates the impact of the attack. Management is responsible for determining the appropriate response with board oversight. Depending on the severity of the attack, the chairman of the board, individual directors, and the board as a whole may participate to a greater or lesser degree in the company’s response, as appropriate.
Disclosure of cyberattacks has been minimal in recent years — very few corporate targets publicize the incidents — but it is likely to expand as attacks increase in number and severity and regulatory regimes impose greater disclosure obligations. If a data breach or other cyber event is arguably material in its effect, nondisclosure can create regulatory enforcement and litigation risk. In the event of an attack, boards should seek the advice of internal and outside counsel in determining the timing, nature, and form of company disclosure. There is a growing sense that prompt and detailed disclosure is essential to our nation’s defense against cyberattacks. Timely disclosure and information sharing are likely to be helpful to other institutions facing similar threats or attacks.
Boards must review cyberattack preparedness on a regular basis, including business continuity plans, in light of each company’s particular vulnerabilities. The best defense — from attacks, from the attendant consequences, and from subsequent litigation — is a carefully tailored and constantly updated protective scheme accompanied by a detailed response plan. ■
David A. Katz is a partner at Wachtell, Lipton, Rosen, and Katz. Laura A. McIntosh is a consulting attorney for the firm.