Despite the extraordinary amount of attention from multiple sources on the issue, a series of recent articles in The Wall Street Journal suggest an ongoing level of uncertainty and unease on the part of the board with respect to its responsibilities for cybersecurity oversight. The general counsel, teaming with the chief information security officer (CISO), can be most helpful in providing guidance to the board in this regard.
The major theme of these articles is that boards are pursuing greater clarity and understanding of their cybersecurity oversight responsibilities following the Equifax breach late last year; i.e., the Equifax crisis seems to have been a particularly defining moment to many boards concerning these responsibilities. This is driven in part by the scope of that breach, and a general lack of understanding of how closely the Equifax board exercised oversight of cybersecurity matters. This increased emphasis on oversight responsibilities is reflected in part by, among other measures, (i) the possible reallocation of cyber-oversight responsibilities more broadly among board committees (e.g., removing it from audit committee direction); (ii) additional board/committee meetings with the CISO and other cybersecurity executives; and (iii) increasing the number of comprehensive internal cybersecurity reviews conducted annually.
A particularly interesting observation from the articles is that very few companies maintain board committees dedicated to information technology risks and strategies (i.e., only four Fortune 100 companies). A consistent "year-over-year" theme is that directors lack confidence that their company has adequate protections to deal with a cyberattack. One suggested alternative is for the board to cultivate a much more direct level of engagement with the CISO (e.g., perhaps, a direct reporting relationship, much like the compliance officer). An additional concern expressed by those interviewed for the articles is the fiduciary propriety of authorizing the payment of ransomware attack demands.
The need for continued director engagement on cybersecurity oversight is clear, especially given concerns with Equifax-level breaches and an uncertainty as to the most effective way for the board to satisfy its oversight obligations. Barriers to more effective board engagement continue to arise from (i) the extraordinary level of information and "white noise" on cybersecurity information made available to the board, directly and through governance publications, and (ii) the extent to which individual directors feel inadequate to address cybersecurity oversight because of the associated technology complexities. The general counsel and the CISO can help the board overcome these barriers with meaningful governance solutions designed to facilitate oversight—including a better understanding of the respective roles of governance and management in this complex area.
To view original article, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
