Directors & Officers: Understand your responsibility for cyber risk management

With technology becoming an integral part of how businesses of all sizes and industries operate and conduct business, the scope of cyber risk has evolved immensely. While in the past, the assumption might have been that cybersecurity solely fell under the purview of IT departments, in the present, that is certainly not the case. To effectively protect digital assets, profitability, and reputation, and maximize the benefits of technology, companies should build a cybersecurity strategy that includes various stakeholders beyond IT leaders, such as executives and board members.

Cybersecurity has become a significant Directors and Officers (D&O) claims concern and taking this proactive approach can help you fortify your company’s resiliency from claims alleging wrongdoings from these individuals.

Consider this: since 2017, there were 31 security class action lawsuits related to a cyber attack or data breach filed against public companies. Though many of these suits have been dismissed, plaintiffs continue to bring forth suits and the threat of litigation comes with a price, both monetary and reputational.

Regulatory environment

The regulatory environment surrounding board members’ and executives’ responsibilities regarding cybersecurity is also becoming more stringent.

In July 2023, the SEC adopted new requirements for companies to address cybersecurity risks. These new rules significantly increase the requirements and expertise of cybersecurity for boards of directors.

The two main components:

1. Mandatory disclosure of material cybersecurity incidents for all U.S.-listed companies – domestic registrants must file this disclosure on Form 8-K within four business days of determining that a cybersecurity incident is material. Foreign private issuers (FPIs) must furnish the disclosure on Form 6-K promptly after the incident is disclosed or otherwise publicized.
2. Annual disclosure of cybersecurity risk management, strategy, and governance – for domestic registrants, this disclosure is made on Form 10-K. For FPIs, this disclosure is made on Form 20-F.

The FTC is another Federal entity that has shown greater interest in directors’ and officers’ roles in cybersecurity incidents. For example, in 2022, the FTC took action against currently privately held, Drizly, and its CEO over allegations that the company’s lax security measures led to a data breach that exposed the personal information of about 2.5 million customers. The order binds CEO James Cory Rellas to certain data security requirements that will follow Rellas even if he leaves Drizly. 

Board sentiment

Considering the circumstances, how do boards feel about cybersecurity risks? Harvard Business Review recently surveyed 600 board members about their attitudes and initiatives around cybersecurity.

Notable takeaways:

• 65% of directors still believe their organizations are at risk of a material cyberattack within the next 12 months, and almost 50% believe they are unprepared to cope with a targeted attack.
• 47% of survey participants who serve on boards interact with their CISOs regularly, with about 33% of them only seeing their CISOs at board presentations. This speaks to a disconnect and communication gap    between cybersecurity teams and boards.
• Only 67% of board members believe human error is their biggest cyber vulnerability, though findings from several organizations over the years indicate that human error accounts for 95% of cybersecurity incidents. This could indicate that some boards do not see the widespread organizational risk they face.

Because of our litigious society and changes in the regulatory environment, board members and executives should consider the following as they navigate the overlay of cyber and executive risks and look for solutions.

What are the responsibilities regarding cybersecurity for board members’ and executives’?

At a basic level:

1. Boards need to take reasonable steps to protect customers’ sensitive data.
2. Directors and officers are also expected to support the implementation of controls to detect and prevent a data breach.
3. Following a data breach, entities need to follow the advice of privacy counsel and notify affected parties.

Directors and officers have a fiduciary duty of oversight. When it comes to cybersecurity, board members at both public and private companies have a duty to establish effective cybersecurity oversight and monitoring.

Should a cyber breach occur, the actions of the board and senior executives might come under intense scrutiny. Because many recent lawsuits have made claims that directors and executives collude and enable each other in violating their respective responsibilities, now is the time to think of strategies that minimize and contain board members’ and executive personal liability.

Failure to implement appropriate cybersecurity controls and adequately monitor them can result in breaching fiduciary duties to the company and its shareholders. The board and management may also face questions about how they handle disclosing a cyberattack or data breach to relevant authorities, financial markets, and affected parties. Establishing responsibilities for implementing and managing cybersecurity before and after a cyber event is a strategy that can help companies address these risks.

Though there are a few exceptions, private companies are subject to the same legal duties and standards as large public companies. One such exception is this: public companies must make timely, extensive disclosures about cybersecurity risks to the SEC, while this usually isn’t the case for the boards of smaller private businesses due to their limited size and scale.

Prioritizing cybersecurity for the board requires continuous dedication, not just an annual update. It involves discussing it in every board meeting, obtaining cybersecurity updates between meetings, and inquiring beyond what is presented. Board members’ personal actions also send a message to senior leadership, which is why they should also demonstrate a personal interest in cybersecurity, such as being secure themselves, raising questions, sharing stories, and recognizing individuals who exhibit the behaviors that the board wants to encourage.

How does insurance fit into the picture?

Transferring risk via insurance can be an effective risk management tool that provides financial safeguards for boards and companies in the event of a cyber breach.

What coverages come into play?

Cyber Insurance

Though there’s no such thing as a standardized cyber liability policy, cyber insurance will typically offer financial protection and remediation services to a company from the fallout arising after a breach or cyber event compromise its systems, and/or sensitive, third-party data. Cyber policies may cover litigation fees, regulatory fines, notification costs, recovery efforts, and more. It’s essential to partner with an experienced cyber insurance advisor to review your company’s cyber vulnerabilities and coverages that meet its needs.

Directors & Officers Insurance (D&O)

Beyond ensuring that a company has adequate cyber coverage in place, directors should also look at D&O insurance coverage. If a company’s cybersecurity is inadequate and leads to a data breach, customers or shareholders may view it as negligence or a breach of duty by the board. This could lead to them holding directors accountable for any damages.

In most cases, a cyber liability policy likely won’t offer the protection directors and officers need after a data breach, which is where a D&O policy comes into play. In the absence of D&O coverage, your individual assets may be at risk and might be surrendered to cover legal expenses.

A D&O policy can respond to investigations or personal claims made against board members in the event of a cyber incident. It is critical to confirm if the company’s D&O policy would provide protection to its directors and officers if they face litigation alleging breach of fiduciary duties associated with a cyber event or data breach. A standard D&O policy covers the individual directors’ acts, errors, and omissions associated with their conduct as directors, which may involve matters related to a cyber incident, but again, not all insurance policies offer the same protection. Some will have overly broad cyber exclusions, which may leave you uncovered after a cyber event.

Be sure to consult with your insurance advisor about these coverages. You’ll want to understand how both a cyber and D&O policy define a loss, and how this impacts which policy responds to claims after a cyber breach.

Private versus public companies: are there notable coverage differences?

Both public D&O and private D&O policies protect individuals if they’re named in a suit, and also cover the company where they have to indemnify those individuals. However, private D&O policies tend to provide broader coverage than a public D&O policy, barring explicitly stated exceptions. Additionally, a public D&O policy will usually only provide coverage when there is a securities class action against the public company.

What are some steps boards can take to contain cyber risk?

Though there isn’t a standardized way to contain cyber risk, there are frameworks that boards can refer to when setting standards or cybersecurity governance. These include the National Institute of Standards and Technology (NIST) framework, the SEC’s guidance, the FTC’s recommended cybersecurity guidelines, FINRA principles, the U.S. DOJ’s best practices for reporting cyber incidents, and more.

As a starting point, boards can take the following steps to help reduce their exposure to cyber risk:  

• Include cybersecurity experts on the board.
• Make cybersecurity updates and discussions a regular part of board meetings and ensure that meeting notes reflect this.
• Protect all board meeting minutes and records by storing them in a secure, encrypted platform. Have guidelines in place about storage practices and who can access which information.
• Train board members periodically so that directors understand the evolving cybersecurity and data privacy landscape.
• Establish cybersecurity oversight via committees to manage the company’s cyber risks.
• Create a consistent reporting structure and cadence for oversight, such as quarterly reports from company executives, or external experts.
• Regularly evaluate the company’s digital systems and assets, the risks that they pose, and ways to contain those exposures.
• Have a crisis preparedness plan for cyber events, and review and enhance that plan on a regular basis.
• Provide the resources and budgets that security and information teams need to effectively implement cybersecurity best practices.
• Lead by example. If you, as a board director, have sensitive data stored in your electronic devices, know what you can do to be cybersecure.
• Break down silos within the company and create a culture where cybersecurity is everyone’s responsibility, not just IT. Thoroughly review your cyber and D&O policies to ensure that your insurance program will respond in tandem if a cyber event occurs.

Stay ahead of cyber risk

Ultimately, boards need to understand that cyber risk is not just a technology issue, but also a significant financial liability. They should discuss their organization’s digital risks, implement plans to manage those risks, and act now to protect against both D&O lawsuits and cyberattacks.