Cybersecurity, Boards and Cyber-Board “Experts”: Caution Should Rule

A continuing frequent question from public companies is how a board should be constituted to oversee cybersecurity.  Many public companies foist this additional burden on the audit committee.   Those large enough to have a risk committee frequently allocate it there.  A corollary question then becomes what qualifications do one or more directors need to have to oversee such risk.

Much of this analysis would seem apt for individual state law which, for the majority of corporations, means fiduciary duties in Delaware.   The business judgment rule requires an absence of conflicts (presumably not really applicable in this context) and due care by a board.   Plaintiffs firms—ever eager to seize upon a new potential litigation entry point—have been relatively unsuccessful in asserting breach of fiduciary duty claims against boards.  The seminal case to date, against Wyndham Hotels, was unsuccessful.   Despite multiple separate data breaches, the district court in the case found that Wyndham’s directors had been regularly briefed on cyber-risk and had exercised their fiduciary responsibilities.

Not one to let a good opportunity to muddle an issue pass it by, Congress waded into this debate in late 2015 with the introduction of a bill from Senators Jack Reed and Susan Collins titled the “Cybersecurity Disclosure Act of 2015.”   If enacted the bill would, within 360 days of becoming law, require public companies to:

  • Disclose whether any of their directors had cybersecurity “expertise or experience”; and
  • If no such directors qualified, what efforts the Nominating Committee had undertaken to remedy such absence.

The definition of “expertise or experience” would be designated by the SEC in consultation with the bureaucracy at the National Institute for Standards and Technology (NIST), which promulgates the U.S. Government’s protocols on cybersecurity.

Like many government interventions, the bill is well-intentioned but misplaced as follows:

  • The bill references NIST relying on, “…professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats…”  A few directors—particularly of technology companies—who are professors or computer scientists or the like may qualify based on their profession.  However, many competent directors who are astute business managers may lack such obvious credentials.   The bill threatens to force boards to dilute business expertise of a board with members who either have gone through bureaucratic hoops—or force members to be washed quickly through a cottage industry in purported cyber-programs.
  • While bill proponents may note that it is a “disclosure only” requirement, the onus of additional government regulation is clear.  And while proponents may also draw an analogy to the financial expert requirement under Sarbanes-Oxley—the analogy is flawed.  GAAP is the language of any corporation—a complex body of specific rules where interpretation is the key.   Cyber-security is highly evolving, fluid and differs vastly from one company to another.  While the NIST protocols are rough guidelines, they are simply not a technical body of regulation or operational language as is the case with GAAP.   Further, risk profiles and substance differs drastically:  A consumer payments company has very different risk issues from a business-to-business equipment supplier.  Mandating some government-blessed background offers the precision of a butter knife approach—not a scalpel.
  • Private rights of action, and thus plaintiffs’ law firms are an excellent counterbalance and arguably more effective than any government decree.   Corporations face massive liability, whether in direct damages or derivative actions, if they get it wrong.

A few salient points of best practice:

  • Time is the number one factor in assessing any strategic implication of a company.   In a world when directors average eight (or so) days a year at in-person meetings—notwithstanding telephonic committee meetings—carving out sufficient calm, thorough time to actually delve substantively on a continuing basis into an issue is difficult but necessary.
  • A best functioning board is an inquisitive, active board.   Relying on a management dog-and-pony show schedule of any presentation is unlikely to yield best results.  Board members should not hesitate to immediately and frequently interject with tactful questions.  That does not mean the board has to contentiously cross-examine presenters—but savvy board members will intuitively nudge rather than excoriate management.   A highly intelligent board member with specific relevant industry expertise is worth more than a government-mandated security course.
  • Balancing workload.   It is not clear that the Audit Committee is the best place for cyber-risk.  Those companies that have risk committees would seem to devote additional time to other risks as well—without impinging on the important work of the audit committee.
  • Policies and architecture.  A board need not be nuanced in highly technical issues to understand the importance of organizational roles.  Does the company have an independent voice, such as a Chief Information Security Officer (CISO) who can dissent from I.T. and report directly to the head of a committee (or at least a CFO or CEO)?    Does the company have an incident response plan tailored to the company—and has it been through table-top simulated exercises with after-action reports?
  • Rely on your inside and external teams.   In any technical subject, it matters to have both the right teams and the right structural checks-and-balances.  Competition both internally and with more than one external advisory firm is wonderful at motivating behavior.  At the risk of self-interest, boards should not hesitate to independently engage outside experts, both at a technical and governance level.  Even if these teams are sporadically consulted, retention also assures familiarity and response time if a crisis breaks out.