Articles You May Have Missed

Ivan Fong, SVP for Legal Affairs and General Counsel, The 3M Company

Cybersecurity has emerged as one of the top risks, if not the top risk, facing many companies and public institutions today. How should boards of directors balance their obligations to provide effective oversight and manage risk, on the one hand, without either micro-managing a company’s cyber-defenses or becoming utterly lost in the technical details?

The New Three Rs

This article offers a modest three-part framework to help guide directors through an evolving area of critical importance to any entity that possesses intellectual property or other confidential data, processes personally identifiable information, or manages any aspect of the nation’s critical infrastructure.

Under US law, corporate directors are charged with the overall responsibility to represent shareholder interests. Directors discharge that responsibility by overseeing executive management and exercising their legal duties of care and loyalty.

Loyalty demands that directors protect the interests of the corporation—and therefore the interests of shareholders—and, conversely, that they do not act in a manner that would injure the corporation or its shareholders. Care demands that they make decisions in good faith and in the company’s best interests based on a reasonable investigation of available options.

Furthermore, courts apply the “business judgment rule” to gauge the duty of care, in essence saying that directors who act reasonably and in good faith will not be held liable for adverse business outcomes.

How do these legal standards, developed before the world became as interconnected as it is today, apply to a board’s cybersecurity obligations? Boards should, in my view, focus on the three Rs of cybersecurity: risk, resources, and readiness.

The First R: Risk

Recent news reports illustrate the risks posed by persistent and sophisticated cyber-threat actors in our increasingly networked world. Such threats can take the form of competitors and other economic actors who seek to exploit a company’s trade secrets or other intellectual property, such as the process know-how and product recipes, often honed over decades of painstaking research and development, that are the lifeblood of science-based companies like 3M.

Other threats may take the form of organized criminal entities that pursue profits from the theft of personally identifiable information, such as credit card numbers or health records. Still others may be nation states that target important technology or seek to disrupt another nation’s critical infrastructure. “Hacktivists” may wish to expose embarrassing company emails or other confidential information to make a larger, social point. And, of course, threats can reside inside an organization as well. Insider threats, such as from disgruntled employees or self-styled whistleblowers, can be among the most difficult to identify and protect against.

As part of a board’s responsibility to evaluate and manage enterprise risks, directors should therefore ensure that management adequately understands, carefully assesses, and has reasonable plans to address the variety of cyber-risks facing the company. Protecting a company’s information and IT networks from cyberattacks is simply too important to be left to the IT department. Given the potential threat to a company’s security—financial or otherwise—cybersecurity is an enterprise risk issue that should ultimately rise to the level of the board of directors.

Consider the legal and regulatory risks: If a company’s data are compromised, how will it explain to customers, employees, or other stakeholders that legal commitments made to keep those data secure have now been breached? To what extent will the company face enforcement actions by the Federal Trade Commission, the Securities and Exchange Commission, state attorneys general, data protection or other enforcement agencies outside the United States, and others?

Consider also the economic risks: How might hard-won intellectual property be lost to a cyberattack? At 3M, some 9,000 scientists and researchers are at work in R&D facilities around the world every day, striving to invent new ways to overcome challenges large and small. Their work underpins our business, and a cyberattack resulting in economic espionage could undermine that investment at the speed of light.

Ultimately, the most significant risks arising from a cyber-incident may be reputational. Businesses rely on the trust and confidence bestowed upon them by their customers, suppliers, employees, and other stakeholders. A company’s reputation for technological sophistication or basic security can be easily tarnished, leading to a sharp loss in public confidence and revenue. Future business opportunities or even the ability to recruit top talent might also evaporate, at least until the business is able to regain that confidence.

Boards should therefore understand how specific cybersecurity risks could affect the company’s long- and short-term shareholder interests. Directors should make sure the company’s management properly frames the risks in the context of the business’s threat environment, its operational environment, including the maturity of its cybersecurity program, and management’s assessment of comparative enterprise risks. The use of “heat maps” to identify and evaluate various risks, for example, based on the probability of their occurrence and the magnitude of their impact, can be a useful tool to visualize and prioritize comparative enterprise risks.

Risk assessments should also include evaluation of insider threats versus external threats, as well as third-party risks—vulnerabilities introduced through partners, suppliers, customers, contractors, and others. Management’s cybersecurity program should identify these risks and include appropriate audits or security assessments to minimize or at least shift responsibility for addressing them to the third-party.

Finally, the board’s oversight in this area must not be a “one-and-done” event. Management’s risk assessment processes should be dynamic, particularly in light of the evolving nature of the relevant cyber-environment. Directors should thus be attuned to risks posed by new practices and technologies, asking management about the security implications of recent developments, such as “bring your own device” policies and cloud-based storage and software.

The Second R: Resources

In addition to making sure that cybersecurity is an appropriate part of the company’s enterprise risk management efforts, a board should also view its role as ensuring the company has the right resources to manage cybersecurity risks: having the right people, processes, and technologies in place to mitigate the relevant risks.

Having the right people—from company leadership to individual subject-matter experts—is, of course, critical. The company’s chief information officer and chief information security officer must be not only technically proficient, but also able to communicate clearly and simply. It becomes all too easy to lose the forest for the trees when tech-speak is involved. Although a board would not typically be involved in these types of personnel decisions, directors should nonetheless hold the CEO accountable for having the level of talent necessary to perform the relevant risk-management and risk-reduction responsibilities.

As an oversight body, it is also the board’s role to ensure management has appropriate processes in place as part of the company’s overall cybersecurity program. Such processes might include employee training and awareness, forensic capabilities to investigate potential breaches, audit or other compliance processes, and certification or continuing education for the company’s cyber-experts. As a general matter, directors should hold management accountable for executing on its action plans, with reporting timelines and metrics for evaluating progress.

A recurring question in this area is whether a board should recruit a director with specific cyber-expertise. Depending on the company’s risk profile, having such a director as an independent voice and resource for the board may well be a best practice, especially given the increasing complexity of overseeing management’s cybersecurity efforts.

On the other hand, if they are sufficiently informed and engaged, generalist directors should nevertheless be able to provide meaningful oversight. And it would surely be a mistake for a board to abdicate its oversight responsibilities in this area by delegating those duties to a director who also happens to be a cyber-expert.

In the area of technology, directors should review the kinds of technical security measures warranted by the level and kinds of risks identified. Such measures may include firewalls, strict password requirements, multi-factor authentication, data loss prevention programs, threat-indicator monitoring, and more.

Directors need not become technical experts, and they are entitled to reasonably rely on the opinions of those who are, but they also need to know enough to ask the challenging questions and make sure the company does not have a culture of conformity. Excessive deference to technical experts can be just as detrimental as micro-management; directors and management should not leave their business acumen, independence, and common sense at the door when it comes to cybersecurity.

Use of objective benchmarking data, such as the level of IT resources devoted to cybersecurity, is one way to evaluate a company’s cybersecurity program but, of course, it is not the only way. There is no substitute for healthy skepticism, combined with an appreciation for the significant challenges faced by most companies in this area.

In sum, the board’s role is to oversee management’s allocation of the appropriate level and kind of resources to address the company’s cybersecurity risks, not managing the deployment of the resources themselves.

The Third R: Readiness

A board’s legal obligation to protect shareholder interests should include not only oversight of risk management and appropriate resourcing, but also whether the company has an adequate response plan in place in case of a cyber-incident.

One of the most important ways a company can prepare for a data breach or other cyber-incident is to have a strong crisis management team in place. The team should include IT security, legal, and communications representatives, for these functional groups will have to work closely to assemble the relevant facts and determine how to communicate the company’s position as quickly as possible. For instance, upon discovery of a potential breach, the team will be faced with immediate questions such as: How did the breach occur? What, if any, information was taken? And where are the intruders now, meaning, are they still in the company’s networks?

Making sure information about the incident flows to the right individuals, including the CEO, is also essential. Decisions about whether and when to inform the board, investors, customers, employees, or others as required by breach notification laws are also significant. They will often have to be made under time pressure, so they should be thought through in advance as much as possible.

Any external vendors, such as cyber-forensics consultants and credit monitoring services, should also be identified, and preliminary relationships with them developed before a crisis occurs. Any incident response plan should also be tested regularly with mock exercises to ensure roles and responsibilities are clearly delineated and well understood by the relevant actors.

One way a company’s readiness can be measured is by whether the appropriate company personnel have relationships with relevant law enforcement officials. The company’s chief information security officer and general counsel should not, for example, have to place a cold call to the local FBI or Secret Service office to report a suspected theft of the company’s trade secrets. Ideally, there should be an established relationship and regular two-way communications between the company and relevant government agencies on cyber-threats and cyber-threat indicators. In light of the prevalence of today’s cyber-incidents, as well as the persistence and sophistication of modern threat-actors, directors would thus be well-advised to oversee the overall state of the company’s readiness for the inevitable.

Finally, boards of companies that face significant cyber-risks should inquire whether the company has considered insurance coverage for cyber-incidents and, if so, what kinds of incidents are covered and what the limits of coverage are. There are many varieties of cyber-insurance programs available, and there is no one-size-fits-all approach. Directors should consider whether cyber-insurance coverage should form part of the company’s readiness plan in the event of a significant cyber-incident.

In the current cyber-threat environment, directors are no longer expected to master just the traditional three R’s—reading, writing, and ’rithmetic. Instead, they must now also master the three R’s of cybersecurity oversight—risk, resources, and readiness. There are, of course, other board-level responsibilities relating to cybersecurity, but directors who focus on those three areas as a starting point will serve their company’s shareholders and management well.

Subscribe to our bi-weekly newsletter Ethisphere Insights for the latest articles, episodes, and updates.

RELATED POSTS

Free Magazine Access!

Fill out the form below, and get access to our Magazine Library

Free Magazine Access!

Fill out the form below, and get access to our Magazine Library

%d