General Counsel Must Discuss Cybersecurity With Their Boards

As general counsel begin to understand the long-term ramifications of cyber attacks, they must also grapple with an evolving regulatory and legislative landscape. New laws and regulations are being enacted by states and federal agencies. Public companies that sustain a cyber attack may be subject to an SEC enforcement action relating to the corporation’s disclosures about its data protection measures and preparedness. Corporations also may be subject to civil action by the FTC.

General counsel should be familiar with and advise directors about this evolving regulatory and legal landscape. The role of the board in addressing cybersecurity risk arises from directors’ fiduciary duties of care and loyalty, although at this point there are few precedents that clarify when directors may be held liable for failure to oversee cybersecurity risk.

A board committee (or the entire board) should be made responsible for overseeing cybersecurity risk. The nominating committee should ensure that the board has among its members adequate technical and risk management experience. Directors should monitor the corporation’s emergency preparedness, which may take the form of a cyber-response plan, with procedures and protocols for responding to either an attack or the threat of one. Protocols should include a plan for testing information systems and processes.

General counsel should also provide the board with information about insurance, currently in place and obtainable, that could be used to defray the significant costs of a negative cyber event.