Cybersecurity and Board of Directors Liability
Cybersecurity is one of the highest priority issues for company executives, both public and private, and it is rapidly becoming a major focus at the state, county, and municipal level as well. Recent litigation and regulatory action has demonstrated that the responsibility for maintaining a strong defensive stance against cyber threats rests with the board of directors.
Over the past couple years stakeholders have begun to seek legal action against board members alleging they failed to take proactive steps to prevent data breaches and therefore were negligent in their duty as an independent body to provide effective fiduciary oversight. In addition, regulators are taking action and accessing monetary penalties that reinforce the fact that cybersecurity starts at the top. While certain cybersecurity measures are properly delegated to the IT professionals, whether that be in-house or outsourced, the board can not ever delegate their independent fiduciary oversight and responsibilities to anyone. A high priority issue such as cybersecurity must be addressed from the top-down.
Even though a board of directors might find the technical nature of cybersecurity to be a very real challenge, their responsibility mandates that they implement a proactive and effective set of procedures that enable it to pose a credible challenge to management. Similar to the role that the third party, independent CPA auditor plays to verify and validate the financial results of an organization, so should a board have ongoing access to independent cyber risk assessments, with an emphasis on “ongoing”.
Hackers are constantly seeking network vulnerabilities 24/7. In many instances, they don’t know the identity of the entity they are hacking until they have encrypted all the data and sent a ransomware demand. Many are just scanning networks, 100’s or more a day, just looking for a vulnerability that allows them the ability to breach the network. A board that is simply resting on the fact that their organization engages an annual IT audit is susceptible to a bad surprise one day. While the annual IT audit is certainly a recommended exercise, the consistent effort of hackers seeking to breach a network with new schemes requires ongoing vulnerability testing to help defend against the havoc a breach can cause.
The question every board member must answer is this …. Are the actions we are taking today, in our role to represent stakeholders and to protect the sensitive data and integrity of the organization’s digital assets sufficient to withstand the Monday morning, ‘after-the fact’ scrutiny that is sure to follow a cyber breach?
// by Rob Blackmon, Gulf Guard Cyber