Posted In: Business Transactions & Corporate Counseling & Cybersecurity & Data Privacy
By Molly Z. Brown & Jarman J. Smith on October 27, 2021
Over the last two years, the COVID-19 pandemic caused Directors to broaden organizational priorities and focus on technology risks related to ensuring operations continue smoothly. As we move back to the new “normal” it is time to revisit cyber-related risk management. This blog posting will focus on directors’ board governance contributions to managing cyber risk.
Directors’ Contributions to Cyber Security
Directors are typically tasked with the responsibility to oversee management’s handling of risk and the review and approval of policies and procedures. Cybersecurity, technology, and loss of data risks represent a sizeable part of that risk matrix, with cybersecurity and data loss being the top risks. In Marsh & McLennan’s 2020-2021 Board Survey, the top three weaknesses identified by Directors in a survey dominated by COVID-19 risks were: Digital Competence, Opportunity Management, and Technology Infrastructure. ¹
It is important to underscore the importance of this trend because it has not really changed in the last ten years. Looking back in 2012, a global survey identified data security and data loss as the top risks.²
Director Responsibilities: Cyber Governance Best Practices
While Board members must ensure first and foremost that they are disinterested decisionmakers and act in good faith, when making decisions regarding cybersecurity and cyber event risk management the fulfillment of director duties requires following a few simple rules:
- Be well-advised and ensure professionals are well-qualified and have the Board’s confidence. Professional advisors should include:
- Outside lawyers
- Cyber Consultants
- Crisis ManagementCommunication Professionals
- Make sure the Board is comfortable with the cybersecurity processes in place:
- Timing for completion of actions and assessments following a cyber incident
- Communication timetables following cyber incident (both internally and externally)
- Board/Board leadership involvement
- Ensure directors are informed, meaning the directors have:
- Asked necessary questions
- Examined assumptions
- Reviewed relevant material information reasonably available for decision-making
- Keep up with relevant demands and expectations for Board conduct, including having the necessary expertise on the Board to make decisions
- Ensure that confidential information and non-public information remains confidential
By satisfying these rules, Boards can position themselves to mitigate risk; satisfy the company, shareholder and stakeholders; and most importantly, for the directors to establish a pattern of behavior that is consistent with satisfaction of the Business Judgment Rule.
Application of the Business Judgement Rule
The “Business Judgment Rule” is invoked by directors in lawsuits when a director or directors take an action that affects the corporation, and a plaintiff alleges that the director violated the duty of care. Under the Business Judgment Rule, a court will uphold the decisions of a director; provided that they are made in good faith and with the care that a reasonably prudent person would use, and with the reasonable belief that the director is acting in the best interests of the corporation. ³
In recent years, Courts have relied on the Business Judgment Rule to avoid holding management liable for cyber events committed by others. In 2016, the United States District Court of Minnesota dismissed derivative claims against individual defendants related to directors and managements alleged failures concerning Target’s data breach ruling that it was not in the best interest of the company to pursue them.4 Nevertheless, Boards need to be proactive about cybersecurity risks. Regulators are already imposing enhanced cybersecurity requirements in healthcare, insurance, and financials. In fact, contract provisions often have various cybersecurity requirements that can present procurement risks for companies.
In determining whether a Board has satisfied its duties, the Board is entitled to rely upon outside professionals that are providing advice to the company and the Board. Typically, in context of a cybersecurity attack this will include cybersecurity consultants, lawyers, and media crisis experts that may be utilized in the event of a cybersecurity incident or in advance thereof, to prevent such an attack. The Board should proactively appoint and approve these professionals as part of its cybersecurity event response plan. Moreover, the Board should be satisfied with the reporting process, policy review, and cyber incident plan implementation/update, so that it can best assure its satisfaction.
It goes without saying that Board diversity today includes gender and race; however, it also includes satisfying all of the areas of expertise that is needed to serve the company well. More and more we are seeing companies evaluated by investors on the expertise they have within their Boards. In evaluating the satisfaction of Board members’ happiness with the expertise among the other members, the best tool available is the annual Board survey. We recommend Board surveys include an objective review for each Board member of their own expertise and assessment of whether they believe the Board has all the expertise that it needs.
Role of Board Surveys
Board surveys can be an effective tool in satisfying the Business Judgment Rule and ascertaining the Board’s satisfaction with the expertise on cybersecurity and technology present on the Board. For example, beliefs about whether the Board has sufficient expertise can be assessed through survey questions, such as:
- Does the Board have sufficient technology and cybersecurity risk expertise on the Board of Directors?
- Does the Board feel confident in the professionals recommended by management in the Cyber Response Plan, including lawyers, cybersecurity consultants, and public relations crisis professionals?
- Do Board members have individual expertise in technology and cyber security?
- Does the Board believe areas of risk management need additional resources devoted to them?
- Are there areas that Board members believe should receive more attention at meetings?
A good Board survey elicits responses that might not be coming out in a meeting but may need addressed. The trends illustrated in Board surveys should be utilized to assist the nomination committee in its design of new director or executive searches, and to help craft Board education and agendas for the year. It is also important for management to work together to complete the aforementioned questions with those informed about cybersecurity and technology taking the lead. By being responsive to survey results, the Board and management can show the measures that they took to ensure adequate risk protection. Thus, ensuring that it has satisfied the basic requirements of the Business Judgment Rule when the inevitable cyber event occurs.
How Brouse Can Help
The attorneys at Brouse McDowell are well versed in cybersecurity and data privacy matters as well as corporate governance matters. Our attorneys are experienced in guiding companies through cybersecurity incidents and creating proactive preparation for cybersecurity response, Board corporate governance, investor disputes, special litigation committees, and providing Board education. Should your company need assistance on these matters the attorneys at Brouse McDowell can help you in these specialized areas. Please contact us for more information and to learn how we can partner with you.
1 Marsh & McLennan Advantage, Global Network of Director Institute, Global Network of Director Institute 2020-2021 Survey Report available at www.marshmclennan.com/content/dam/mmc-web/insights/publications/2021/january/GNDI--2020-2021--Survey--report.pdf (visited Oct. 18, 2021)
2 Corporate Board Member, Legal Risks on the Radar, 2012 Law and the Boardroom Study, Aug. 13, 2012, at 2.
3 In re The Home Depot, Inc. S'holder Deriv. Litig., 223 F. Supp. 3d 1317 (N.D. Ga. 2016) (derivative action related to data breach dismissed under business judgment rule); see also Koos v. Cent. Ohio Cellular, Inc., 94 Ohio App.3d 579, 589 (8th Dist. 1994); see also In re Walt Disney Co. Derivative Litig., 906 A.2d 27, 52 (Del. 2006) (quoting Aronson v. Lewis, 473 A.2d 805, 812 (Del. 1984) overruled on other grounds).
4 Davis v. Steinhafel, No. 14-CV-00203, 2016 BL 515842 (D. Minn. July 7, 2016) (order granting motions to dismiss); see also www.law360.com/articles/815012/target-execs-escape-derivative-claims-over-data-breach.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2022 Brouse McDowell. All rights reserved.