The Conference Board Governance Center Blog

Feb
05
2015

Duties and Liabilities of the Board Regarding Information Security

By Marcel Bucsescu, Assistant Director, Governance Center, The Conference Board

Recent high profile cyber breaches at Anthem, Home Depot, and Sony remind us just how dynamic, complex, and rapidly evolving cyber security and the management  and response to those risks is. Every day, email inboxes are flooded not just with phishing emails and other scams, but also with marketing blasts to solve cyber and tell directors everything they need to know. A huge industry is developing around cyber security, preparedness, and response. But managing risk is not a new challenge for management and boards. Every once and a while, it is helpful to ground ourselves. Recently, the general counsel of a Fortune 500 company shared a memo with me that they had prepared for the board. This memo serves as a reminder that the new and evolving threats that companies face today exist within a legal framework. And while there are many unknowns with cyber risks, the role of the board is still rooted in the basic duties of care, loyalty and good faith to the corporation. You can access the article, “The Board’s Role in Cyber Security,” referred to in the memorandum here.

MEMORANDUM

To: Board of Directors
From: General Counsel
Re: Duties and Liabilities of the Board Regarding Information Security

Given the agenda content on information security at our upcoming meetings and the overwhelming proliferation of director seminars and publications on this topic, we felt it would be helpful to provide guidance on the standards that the Board will be held to in regard to oversight of the Corporation’s information security risks.

Background – Growing Risks

Information security has risen rapidly on the risk register of most companies, including ours. Among the many facets of this risk issue, we face nation state actors trying to pilfer trade secrets and build offensive sabotage capabilities, corrupt or careless insiders who abuse trust to harm their employer (e.g., Edward Snowden), and the growing incidence of data breaches. The costs of these attacks can be significant. Prudent directors – concerned with protecting finances, avoiding liability, preserving reputation, and seeking future growth – are inquiring to ensure that their companies have appropriate processes in place to address information security risks in the context of each company’s business.

Expanding Regulation and Legislation

The US and other governments are seeking to regulate security for critical infrastructure. In 2013, President Obama issued an executive order creating new cybersecurity standards for critical infrastructure companies in many sectors. The Commerce Department’s National Institute of Standards and Technology (NIST) issued a new framework standard earlier this year. China, as well, is in the process of creating security standards for control systems.

The SEC has issued guidance on disclosure of cyber risks and cyber attacks. Our 10-K details some of these risks.

The European Union and other governments have issued stringent data privacy standards and every US state has a data breach notification law.

Commentators Increasingly Suggest Broad Director Duties

A Greek chorus of commentators and experts give speeches and write articles declaring a long litany of actions that boards “must” take in regard to cybersecurity. Many of these recommendations inappropriately push directors into a programmatic role that should be the purview of management.

The stakes in this game were elevated when, in a June 10, 2014 speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” delivered at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar highlighted the involvement of boards of directors in cybersecurity oversight. In his speech, Aguilar stressed that “ensuring the adequacy of a company’s cybersecurity measures needs to be a part of a board of director’s risk oversight responsibilities.” He added the warning that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril.”

While couched as calling for oversight, Aguilar’s detailed suggestions would put the boards deep into cyber preparedness and breach response. For example, he recommends specifically that boards use the NIST framework. He called for boards to create separate risk committees and delve into roles and responsibilities for information security within management. Some have interpreted Aguilar’s speech as a warning that the Commission may hold boards accountable for poor risk management or inadequate disclosure. It is questionable whether the SEC has the statutory basis for charging directors, in all but the most extreme cases.

Under Delaware Law, Director Duties Are Modest

Under Delaware law, directors owe fiduciary duties of care, loyalty and good faith to the corporation. The first two duties result directly in liability if violated. The third duty – good faith – is not an independent fiduciary duty but rather an element of the duty of loyalty, as a director cannot act loyally toward the corporation unless she acts in the good faith belief that her actions are in its best interests. Stone v. Ritter, (Del. 2006).

Our articles of incorporation contain a clause exculpating directors from liability for most breaches of the duty of care, as permitted by Delaware Corp. Code section 102(b)(7). Thus, following a data breach, claims against the board could most plausibly be made for breach of the duty of oversight (which is derivative of the duty of loyalty).

Under the line of Delaware cases sometimes referred to as the Caremark doctrine, the sole basis for director liability for breach of the duty of oversight is: “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention. In either case, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations.” Stone.

In cases seeking to hold directors liable for failure to monitor risks, Delaware courts have been careful not to allow plaintiffs to use the duty of oversight as a vehicle to second-guess a well-informed board’s business decisions, including well-informed decisions regarding risk-taking. Notably, in In re Citigroup Shareholder Derivative Litigation, the Delaware Chancery Court rejected the plaintiffs’ claims that Citigroup board members breached their fiduciary duty by failing to prevent the losses incurred by Citigroup as a result of its substantial exposure to the subprime mortgage market. The court held that the alleged warning signs cited by the plaintiffs were insufficient to imply knowledge of the need to oversee subprime mortgage investment decisions. The court reiterated its well-established principle that “the mere fact that a company takes on business risk and suffers losses – even catastrophic losses – does not evidence misconduct and without more, is not a basis for personal director liability.”

In today’s world, it seems apparent that information security should be part of any company’s ERM program and thus should be part of directors’ oversight. However, the Delaware case law makes it very difficult to prove a breach of the duty of oversight and minimal efforts to oversee management’s activities in regard to an enterprise risk are sufficient to avoid liability.

Most importantly, information security risk management should fit into the company’s overall ERM program, rather than being treated somehow different. “Cyber risk is just the latest risk board members must address, and good directors are doing so in the context of the company’s overarching risk management process,” according to NYSE Governance Services executive Erica Salmon Byrne. The key is not to take over cyber risk planning activities, but rather to “quiz leadership on how they are approaching cyber risk and where it fits into the company’s risk profile,” according to Byrne.

The Company’s Board Has Easily Met its Duties

Of course, this Board cares about much more than avoiding liability. When compared to best practices for Board oversight of information security risk, this Board has covered the key areas. In a balanced white paper on “The Board’s Role in Cybersecurity,” The Conference Board recommends six ways that boards fulfill their oversight responsibilities:

  • Understand cyber risk
  • Evaluate the organizational approach to cybersecurity
  • Request regular briefings on cyber risk/threats
  • Prioritize material cyber risks to protect business value
  • Request a security technology “roadmap” and budget estimates to implement the strategy
  • Test the company’s response plan with a cyber exercise

Our Board has covered each of these areas and management is committed to keeping the Board up to date as this issue evolves and as the company’s mitigation strategies mature.

About the Blogger:

Marcel Bucsescu, Assistant Director, Governance Center, The Conference Board

Marcel Bucsescu, Assistant Director, Governance Center, The Conference Board

Marcel Bucsescu is assistant director of The Conference Board Governance Center. In this role, he oversees all Center programs and leads several key efforts, including The Conference Board Governance Center Blog, Governance Watch webcast series, and The Conference Board Council of Chief Legal Officers.

 

 

 

 



You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Duties and Liabilities of the Board Regarding Information Security”

  1. […] “Thinking About the Data Breach Securities Class Action Lawsuits Yet to Come” – The Conference Board’s blog with a sample memo to insiders – D&O Diary’s “That Time the Entire Cyber […]

Leave a Reply