Cyber Risk and the Board of Directors –Closing the Gap

Businessmen superheros and tearing shirts off with c

This article, written by Michael A. Gold, Partner at Jeffer Mangels Butler & Mitchell, was originally published by Bloomberg BNA Corporate Governance Report on October 7, 2013 and articulates the responsibility that corporate boards must own in order to protect the electronic assets of their organization. Read Cyber Risk and the Board of Directors –Closing the Gap.

The term ‘corporate assets’ may conjure up thoughts of mechanical equipment, financial instruments, computer hardware, and even personnel. Often overlooked in this terminology are an organization’s digital information assets, which may include high-value trade secrets, sensitive digital correspondence, business strategy information, or the financial and personally identifiable information of consumers.

Corporate directors have a duty to protect all organizational assets. While the assumption is that cybersecurity threats are only a problem for hi-tech companies, the truth is that the potential for a data breach poses a significant risk for any company that stores any of its data electronically. Threats to a company’s sensitive digital information can include cyber-attacks, hacking, phishing, and ransomware scams, to name a few.

“Corporate boards can be timid about engaging cyber risk because the nature of these risks has no real parallel in the experience of most corporate directors.”

– Michael A. Gold

Due to the seemingly massive volume of information and lack of time or personnel, Cyber Security Fatigue besets many corporate boards. Corporate directors may focus their efforts on other priorities that are more closely related to their areas of expertise, believing that cyber security is being managed by their corporate information technology department.

It’s a common misconception among many organizational leaders that the corporate IT department is responsible for managing a company’s cybersecurity shield. Often, the truth is that IT departments are, in general, not experts in cybersecurity; in fact, many of the directives of IT professionals is counter to encouraging good cybersecurity practices in favor of speed of access, simplified password protocols, or rushing to get a product or service to market quickly.

Also covered in this article is the role that corporate directors play in addressing cybersecurity risks, preparing for the possibility of a cyber-attack, and responding to data breaches, should one occur. Possible legal implications for the board and its members, as well as reports from Lockton Companies, a major insurance broker regarding the “increasing trend in D&O Claims filed as a result of data breach events, and lack of adequate disclosure surrounding such events,” are included.

Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. He is also a co-author of Bloomberg BNA’s Corporate Practice Series Portfolio 86, Records Retention for Enterprise Knowledge Management, which is available for purchase at https://www.bna.com/records-retention-p6983/. Contact Mike at MGold@jmbm.com or +1 310.201.3529.