Organizations are increasingly under the gun to get their directors more involved in cybersecurity risk management as part of their fiduciary duties and oversight responsibilities. But you don’t want them involved in a cyber incident itself, Miriam Wugmeister of Morrison Foerster says.
Aside from getting in the way of management’s ability to react to a breach nimbly, board involvement can push directors into an unwanted role in the likely event of a lawsuit after the incident is addressed.
“The main reason to keep board members’ role limited during a cyber incident is to make sure they don’t become witnesses and are not dragged into litigation,” Wugmeister, a Morrison Foerster partner, said in a podcast hosted by the firm.
Getting involved also risks directors waiving the defenses that are there to protect board members who act in good faith, she said.
The Securities and Exchange Commission’s cybersecurity rule is one example of a regulatory change that requires public companies to show they have board-level cybersecurity expertise. The European Union is moving in that direction, too, and there are other developments that are pushing organizations to get directors more involved. The Federal Trade Commission, for example, in some recent consent decrees, is making a stepped-up role for boards part of the settlement conditions.
Given this reality, organizations are smart to formalize a role for directors in cybersecurity, but the main role should be in developing a policy and making sure adequate resources are allocated for responding to an incident, like a ransomware attack, and then doing follow-up checks after an attack.
“Cybersecurity should be considered a strategic enterprise risk alongside other enterprise risks,” Alex Iftimie, associate general counsel at OpenAI and a former co-chair of Morrison Foerster’s risk management practice, said in the podcast. “Boards need to be briefed on the most significant data security risks to the organization and how the investments the company is making in security compare to peer companies.”
The organization should bring in experts to brief the board on the risks and how to respond as part of the process for developing a response protocol. The board should also be involved after an incident to learn whether management has taken steps to address the reasons the incident happened.
“The board should be asking questions … to make sure the right level of resources – people, money, technology – has been put in place to remediate the issues discovered,” Wugmeister said.
Whatever structure is created, it should keep the board out of the minute-by-minute response to a breach or other incident.
“Decisions regarding what has to happen during an incident happen incredibly quickly,” said Wugmeister. “There has to be a small number of people involved in these decisions. Management has to be nimble. The facts are changing constantly.”
Most organizations get directors involved in cybersecurity as part of the audit committee. That’s a reasonable approach, since cyber incidents typically involve a big financial impact and raise questions about whether the organization has adequate controls, which are both audit committee issues.
But it’s not clear that a committee whose members mostly have finance and accounting expertise is the best for overseeing a cyber risk plan.
“One of the tensions of having the audit committee at the helm of a cyber incident is that the audit committee typically isn’t where most technology, cyber-savvy board directors sit,” Iftimie said.
One approach is to put the cyber function in the broader risk management committee and treat the issue the same way as other strategic enterprise risks. Another is to create an ad hoc committee to develop the cyber response plan and then fold the oversight of the plan into the risk management or other committee.
“You convene the committee for a set period of time and drive change quickly in the aftermath of an incident,” said Iftimie. “Then you give that authority back to the full board or other committee.”