Cyber Risk for the Board of Directors and the CEO
Threat networks are flexible, agile, and ever-evolving groupings of hackers, criminals, terrorists, competing countries and their supporters and facilitators. These networks could include employees, competitors, suppliers and service providers that blend illicit activity with licit business.
The Board and the CEO must have the knowledge and skills necessary to exercise professional judgment in assessing cybersecurity risks, challenging security plans, discussing activities, formulating opinions, and evaluating policies and solutions that protect the assets of their organization.
Securities and Exchange Commission (SEC) Commissioner Luis Aguilar has said: “Boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility, do so at their own peril.”
According to the former FBI Director James Comey, “There are two kinds of big companies in the United States. There are those who’ve been hacked… and those who don’t know they’ve been hacked.”
In a February 12, 2013, executive order, the White House noted that “cyber threats are one of the most serious economic and national security challenges we face as a nation and that America’s economic prosperity in the 21st century will depend on cybersecurity.”
The failure to maintain adequate risk oversight can expose companies, officers, and directors to liability. Directors owe fiduciary duties to their shareholders and have a significant role in overseeing the risk management of the company. The failure to exercise appropriate oversight in the face of known risks constitutes a breach of the duty of loyalty. A decision with regard to cybersecurity that was “ill-advised or negligent” constitutes a breach of the duty of care.
The Board and the CEO must also assess whether and how to disclose a cyberattack internally and externally to customers and investors. After a successful cyberattack, companies and organizations must provide evidence that they have an adequate and tested cybersecurity program in place that meets international standards, and that they are prepared to properly and quickly respond to a security breach.
Our presentations, awareness and training programs for the Board of Directors and the CEO: