If 2016 was the year of cyber attacks, 2017 is the year of prevention. Over 12 months ago, an increase in the innovation and sophistication of cyber attacks and a greater breakdown in the security measures on a global scale were predicted by the experts. In fact, the introduction of the Internet of Things made the world more connected than ever. However, it paved way for several organizations and individuals to be more vulnerable to security attacks. Forecasters pointed a perfect storm and they were right. To mitigate the security threats, various states in the US adopted various cyber-related legislation which also included legislation that applied only to certain industries that are more sensitive to cybersecurity breaches. Furthermore, federal agencies like Federal Trade Commission and the US Department of Justice (DOJ), and the US Securities and Exchange Commission (SEC) are playing a vital role in the regulating cybersecurity.
From the wreckage of hacks and privacy violations of 2016, some important lessons were learned and that set the trend for the next wave of technology innovations. According to Luis A Aguilar, then-SEC Commission the board’s responsibility is to ensure the capability of company’s cybersecurity measures. The threat of cyber attacks has compelled many companies and their boards to establish an indirect response plan for potential cybersecurity like contingency communications plans and cross-organizational teams.
Here are some of the recent developments in the cybersecurity area which especially holds relevant to boards.
Shareholder Litigation and Board Fiduciary Duties:
Two separate shareholder derivative lawsuits, alleging the breach of fiduciary duties by the directors, filed against the companies Target and The Home Depot, in July and November 2016 regarding the cybersecurity incidents was dismissed. In a similar incident, a lawsuit filed against the directors and officers of Wyndham in 2014 also witnessed dismissal. In the above-mentioned cases, the court highlighted that the plaintiffs had no strong evidence to expose that these directors had failed to monitor or oversee the implementation or operation of systems completely. In fact, the incidents have helped several companies by defining the parameters of what boards should do to shield themselves against a shareholder derivative suit involving cybersecurity incidents.
In the cybersphere, the board or committee designated by the board is expected:
- To ensure that customers’ personal and financial information is protected by implementing or devising a system of internal control.
- To oversee data security risk management by establishing effective corporate governance and reporting structures.
- To make sure that the customers are informed in a timely matter if there is any data breach relating to their personal or financial information.
- To monitor and oversee the said system of internal control.
- To operate in an efficient manner while conforming to all the laws and ensuring the provision of the highest quality performance of the business. Meanwhile, wasting the company’s assets must be avoided to maximize the value of the company’s stock.
- To maintain up-to-date records about the company’s operations and make reasonable inquiries in connection with the operations to ensure that right steps are taken to correct any unsound or imprudent conditions or practices.
Confidential Information and Director Communications:
Several incidents in the past have demonstrated clearly that electronic communications between the directors can be at higher risk of security attack. This is because they often contain confidential information which is mostly non-public. The security attacks can pave way for insider trading, the revelation of the company’s strategy and can also affect the on-going deal negotiations. Usage of personal e-mail ids for exchanging company-related e-mails has doubled the risk because the commercial e-mail servers lack robust security features and are beyond the company’s control too.
Minimizing the risks is possible, by following these steps:
- Accessing board presentations and other sensitive documents only through encrypted laptops and mobile devices.
- Ensuring that company policies contain a clause that requires directors and board members to use only official e-mail addresses for all company communications.
- Incorporating e-mail security training as an essential part of ongoing director training.
Cyberattack on Yahoo in 2013 and 2014 affected a large number of accounts. This incident demonstrated the importance of cybersecurity diligence in corporate transactions. Here are the highlights:
- More focus will be laid on cybersecurity diligence, especially in M&A transactions that involved companies with large amounts of personally identifiable information and those in the IT industries.
- Engaging a third-party expert to perform a technical analysis to identify any undisclosed incidents and/or risks may be required. This further depends on the industry or nature of the company’s operations.
Cyber attacks and security measures are no longer a matter exclusively in the domain of the IT department. It is a boardroom issue too.