The Board and the CEO must have the knowledge and skills necessary to assess cybersecurity risks, challenge security plans, discuss activities, formulate opinions, and evaluate policies and solutions that protect the assets of their organization. The failure to maintain adequate risk oversight can expose companies, officers, and directors to liability.
Directors owe fiduciary duties to their shareholders and have a significant role in overseeing the risk management of the company. The failure to exercise appropriate oversight in the face of known risks constitutes a breach of the duty of loyalty. A decision about cybersecurity that was “ill-advised or negligent” constitutes a breach of the duty of care.
The Board and the CEO must also assess whether and how to disclose a cyberattack internally and externally to customers and investors. After a successful cyberattack, companies and organizations must provide evidence that they have an adequate and tested cybersecurity program in place that meets international standards, and that they are prepared to respond to a security breach properly and quickly.
We provide short, comprehensive briefings on key issues the board needs to be informed about in order to exercise professional judgment and adequate risk oversight.