As IoT cybersecurity threats increase in both severity and frequency, every organization’s board of directors is expected to become more involved in the oversight and management of risks. Boards that don’t take this obligation seriously can be held accountable for any data breaches, and face the consequences from multiple directions.
More specifically, directors could be ousted by activist investor campaigns, or become targets of shareholder derivative actions. Let’s have a closer look at what is expected of the board of directors when it comes to management and oversight of cybersecurity risks:
Duties and Obligations of Board Members
Even though the exact responsibilities and obligations of the board of directors revolve around the laws of the state in which the organization operates, the basic principles remain the same. One of the critical obligations of directors is to discharge their duties in good faith, with care, and loyalty to the organization. Avoiding corporate waste is another important duty of directors.
Directors enjoy the benefits of the business judgment rule in courts, which is the assumption that they have indeed acted in good faith and care for the organization unless the plaintiff proves otherwise. It is a significant hurdle for the plaintiffs in most cases, but it’s imperative for directors to protect their liability by ensuring that all eventualities in the case of an cybersecurity breach is covered.
Responsibility of Directors
The directors themselves aren’t expected to manage cybersecurity risks, but rather ensure that the management is doing so by overseeing their processes. Despite being protected by the business judgment rule in general, directors can still be held personally liable for a failure of oversight in case there is a complete and systemic failure at ensuring that cybersecurity risks were managed. Personal liability means litigation — directors can be sued by the shareholders as they would be in breach of their fiduciary duties to the organization.
Overseeing Cybersecurity Management
Directors have a few options at their disposal to protect themselves from potential litigation by doing proper oversight of cybersecurity risk management. The first step is to take some time out of regular board meetings and dedicate it to discussing cybersecurity and encouraging the management to make presentations on the subject. Many directors opt for implementing a cybersecurity plan to cover their bases, and they take great care to monitor how effective the program is, so to adjust and tweak it.
Another good practice is having a chief information security officer or CISO for short. It is the person responsible for helping the board understand how cybersecurity risks might affect the organization at large. A CISO can also regularly report to the board on the state of cybersecurity in the organization and ensure that all necessary steps are being taken to prevent breaches. All of these efforts should be documented in the organization’s reports.
Cybersecurity is rapidly becoming one of the main pillars of thriving organizations, but ensuring protection from cybercriminals is still a task fraught with difficulties. For the board of directors of an organization, it’s critical to exercise oversight of cybersecurity risk management to avoid liability and litigation that can have severe consequences.
Very few cybersecurity experts know how to communicate with BoDs and decision makers.
Presenting a business case involves not just economics but also the need for consistent terminology, measurement, and a context in which to make informed decisions. The business is informed by our understanding of the technology but must be framed in a business language and concepts so that it can be easily compared with non-security choices.