The likelihood of a cybersecurity breach hitting a company in the near future is as certain as the subsequent drop in shareholder value, finger-pointing, fines, regulatory headaches, and civil litigation alleging the board was asleep at the wheel in the face of a known danger when that danger finally materializes. The question every board member must answer is whether the actions they are currently taking to protect their company’s digital assets are sufficient to withstand the Monday morning quarterbacking that will occur after a cyber attack incident.
I recently published a series of three articles intended to help boards of directors better understand the breadth of their fiduciary obligation in managing looming cybersecurity threats.
In today’s world, many companies maintain their most valuable assets in digital form. Thieves no longer need to physically enter a company’s facility to steal its valuables. Rather, an individual on the other side of the globe, or right next door, can, with equal impunity, silently steal a company’s most prized possessions by breaching its data network. Due to the evolving nature of cyber risks, there is a lack of authority discussing the scope of a board’s obligation to address such attacks.
Obviously, directors’ fiduciary duties will extend to the protection of significant digital assets. The more difficult question to answer is: What are the contours of a director’s fiduciary obligation when it comes to cybersecurity? As discussed in my articles, the answer to these vexing questions is almost always “it depends.” As with all risks, the extent of a director’s obligation and the amount of attention an issue should receive at the board level will depend on such things as the nature of the company, the foreseeability of an attack, and the potential severity of a cyber breach.
Each of the three articles in my “Cybersecurity and the Board of Directors: Avoiding Personal Liability” series can be read in their entirety by clicking on the links below: