Board members are now facing lawsuits after large-scale cybersecurity breaches because the security breakdowns are considered a failure to uphold fiduciary duties. The Department of Justice has recently provided guidelines for cybersecurity awareness for board members. The CIO now has a responsibility to communicate the cybersecurity strategy to board members and make them aware of critical risks to help avoid personal liability.
Details of day-to-day activities like software monitoring and firewall setup are important for the IT team and CIO to understand, but that level of granularity is not necessary for the Board. However, at a minimum, the Board should understand how cybersecurity failures can impact the business.
The Board should know how critical business processes could be affected by a breach, how decisions are made during an emergency situation, and how company compliance can impact a breach.
1. How critical business processes would be affected by a breach:
It is important for the CIO to review the results of regularly scheduled security assessments with the Board, so members are aware of potential threats to critical business processes and the steps being taken to safeguard against those risks. The Board is responsible for acting on information presented in risk assessments. When members take steps to address risk appropriately, they are fulfilling their fiduciary duties.
Some of the critical business processes to monitor are those that involve the customer, those that involve a breach of company IP and those that related to financial transactions. These processes are the channels through which company and customer information move back and forth, which makes it an ideal target for an attack.
2. How decisions are made in an emergency:
In addition, the Board needs to know how decisions will be made during an incident. The CIO should review current internal compliance policies and review how the company rates against industry standard compliance policies with the Board. This information can be used to help to Board prioritize risks and identify areas where the most harm could be caused.
Like in any emergency situation, having an internal and external communication plan is imperative. Depending on the nature of the situation, it may be necessary to involve specialized outside legal counsel. The Board should be involved in selecting an outside firm and should know what their role will be. In addition, the Board should understand how information would be documented, tracked and communicated in the event of a breach. Miscommunicated information related to a data breach, or withheld information, can mean the company and Board have failed to uphold their duties and they would assume liability for the incident.
3. How company compliance can impact a breach:
A cybersecurity breach is not the time to find out that basic compliance policies are not being followed. If external vendors are accessing internal systems, their access and permissions in the systems should be monitored and controlled just like company employees. The CIO should be aware of vendor compliance policies and know how vendors are securing company data. In the Target breach of 2013, they were not in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). This type of compliance is something that companies simply cannot afford to ignore.
Cybersecurity is as much about technology as it is about people, including the Board of Directors. Board members have a unique responsibility to protect their company’s assets and customer information. They no longer have the luxury to keep cybersecurity on the sidelines for IT to manage. They must work to integrate the cybersecurity strategy with the overarching business strategy and make sure risks are appropriately addressed.