If asked to assume a directorship position, there are certain things a person should check before agreeing to assume the responsibilities. This article focuses on cybersecurity concerns and what to look for in determining whether the position would be a good fit. For a more thorough discussion of other pertinent concerns, see What to Consider Before Accepting a Corporate Directorship. Even if the corporation or organization is missing certain protections, it is better to know in advance so that the potential director can act accordingly.
The issue of cybersecurity stands to become more far-reaching in future years as indicated by the U.S. Securities and Exchange Commission’s (SEC) guidance from December of 2018 for public companies on cybersecurity-related disclosures. While not mandating roles for a corporate director in handling cybersecurity, the guidance does seem to suggest that directors can no longer take a back seat in dealing with cybersecurity matters. This guidance suggests that directors who choose not to take an active role in preventing attacks violate the duty to manage the corporation or organization’s affairs prudently.
Fortunately, the National Association of Corporate Directors (NACD) has issued a handbook on cyber-risk aversion which includes principles that corporate boards of exchange registered companies and others large and small should consider to effectively handle cybersecurity threats within the corporation or organization. It may be a red flag for individuals considering directorship, if the following items are not already in place. The potential director should be assured that the corporation or organization is amenable to implementing some changes factoring in cybersecurity to its operations before deciding to assume the responsibility.
First, directors should examine whether cybersecurity concerns are handled as part of routine risk management, rather than relegated exclusively to the IT department—both departments should have a hand in the efforts. Upper management in a corporation or organization should have a hand in how the entity’s cybersecurity programs function and should revisit these programs periodically at board meetings. Since the Internet landscape is constantly evolving and getting smarter about how to access an entity’s secret information, cybersecurity should also evolve to keep up with the latest threats. The entity’s plan should not just consist of checking some boxes in a “set it and forget it” program to appear protected on paper—the directors should be actively involved to ensure that cybersecurity programs are functioning effectively.
To determine whether an effective program is in place, potential directors should ask what cybersecurity concerns are particular to the business—in other words, what special concerns should the entity have based on the business it conducts. This will serve to diagnose the plan of attack that would be best suited to the entity. Follow-up questions would include whether there has been any testing for how the current policies and procedures, if any, would operate if a cyber-attack occurred; where important data is stored and what kind of data is stored in a given location; and whether there is adequate insurance coverage in place to cover a data breach if one occurs. Since no cybersecurity plan can be completely flawless, risk abatement can be just as important as a strong initial defense. Having a plan for when and if breaches occur is of paramount importance.
Second, the potential director should determine whether the existing cybersecurity programs are adequately capitalized to meet the demands particular to the business or organization. This could include internal funding within a risk department or externally working with a cybersecurity firm to help protect the entity. Seeking outside help with cybersecurity experts may be a better option for larger businesses with more at stake, but smaller companies with important or particularly sensitive information should consider this option too. Without adequate funding, however, a cybersecurity system will not function at its peak regardless of the skill level of those working on solutions and may not be doing what it needs to do to protect the entity’s important information.
Lastly, the potential director should ask about any past attacks and what the business or organization has done to mitigate the potential for future attacks. Entities that have not changed their cybersecurity procedures after an attack should be approached with caution. If the entity was fortunate enough to have never experienced an attack, a potential director should be equally cautious in dealing with an over-confident entity. Mere good fortune to avoid a prior attack is not controlling for the future—the landscape is constantly changing, and past success does not necessarily correspond to future immunity.
Cybersecurity adds another layer of considerations for an individual debating whether to accept a directorship position. Keeping an eye out for the above factors can make the decision easier and minimize risk in the long run for both the entity seeking a director and the potential director him or herself.
With contribution from Sarah Rothermel, J.D. Widener Law Commonwealth.