Cybersecurity Risks: Discussion for the Board Room (and for the General Counsel)
The issue of cyberliability risk is finally making its way to the board room. We have written about the importance of board education and board involvement in the assessment of cyber threats and liability risk (see our series here) and the Securities and Exchange Commission is looking carefully at public company disclosures of cybersecurity risks as a factor for the investing public. Reputation, cybersecurity and social media are largely intertwined and the associated risk has captured the attention of most boards. However, the executives seem to lack significant understanding, and organizations are missing robust plans to address the identified concerns. The fifth annual board survey conducted by accounting firm EisnerAmper, "Concerns About Risks Confronting Boards," reveals that concerns over cybersecurity/IT risks among the directors surveyed has increased by nearly 10% and has overtaken regulatory/compliance risk as the second most important concern to all boards. Further, the top concern is reputational risk, which is one of the main issues embedded in cybersecurity risk.
A recent Corporate Counsel article (authored by Mintz Levin colleagues David Barres and Dom Picca) provides an in-depth discussion of "Director Liability for Cybersecurity Risks" outlining specific steps that directors can take to improve board oversight of cybersecurity risks, and the fiduciary duty claims that could result without such oversight.
Reputation, cybersecurity and social media are largely intertwined and the associated risk has captured the attention of most boards. However, the executives seem to lack significant understanding, and organizations are missing robust plans to address the identified concerns.
These articles and studies should be on the agenda for September board meetings. The time is now.