What Can Boards Do?
This is the last in a three-part series on the implications of cybersecurity threats on boards of directors.
Board oversight should include a comprehensive plan to respond to a cyber incident or data breach, with senior management fully trained with respect to such plan. Moreover, the plan should be continually updated, fully rehearsed and stress tested, so that responding to an incident or breach is virtually instinctive, and responding to a cyber incident is not being conducted cold and for the first time without any prior practice or rehearsal. “Table top rehearsals” of the response plan are critical.
The board should also ensure capable leadership, from the CEO on down, who are able to deal with cyber threats in a competent and meaningful fashion. Moreover, “[b]ecause the consequences of a serious cyber breach not properly contained can now be so far-reaching and so crippling, it is ultimately the board’s responsibility. That means that directors have to educate themselves about potential cyber-attacks, risk mitigation, and damage control should the worst happen.” (Is Your Board Focused on Cyber Preparedness?, supra, first week’s blog.) Indeed, the best hedge against a devastating attack is for the board to exercise leadership by setting an example of a corporate culture that inculcates an understanding and awareness of the cyber threat that pervades every level of the organization. (Id.)(See 3 Roles for the Board in Corporate Cybersecurity, Corporate Counsel, June 11, 2015, Ruby Sharma.)
An assessment should be made of what data is most critical, what risks exist, and a plan formulated and practiced well in advance of the inevitable cyber incident or data breach (to include a plan that ensures early detection), so that the organization is not playing a confused game of catch up when a cyber-incident or data breach occurs. It is critical that all personnel, from the administrative staff all the way up to the CEO, be fully aware of his or her role in detection and response, so that the fullest extent of damage minimization can be realized when the inevitable cyber incident or breach occurs. The existing 200-day detection average should not be an acceptable benchmark for purposes of evaluating an effective detection plan.
The assessment should also include having outside advisors and legal counsel involved in both formulating the plan and being familiar with it, including their respective roles in assisting the organization after a cyber incident or data breach occurs. (See Risk Management and the Board of Directors – An Update for 2014, Wachtell, Lipton, Rosen & Katz, April 22, 2014.)(“The board and relevant committees should work with management to promote and actively cultivate a corporate culture and environment that understands and implements enterprise-wide risk management.”)
Although, as noted previously, there is presently no comprehensive federal statute that governs cybersecurity, the federal government has nevertheless acted to provide some guidance to businesses. In April 2015, the Department of Justice (“DOJ”), Computer Crime & Intellectual Property Section, Criminal Division, issued Version 1 of its “Best Practices for Victim Response and Reporting of Cyber Incidents”. Corporate boards should be familiar with this important resource, and undertake to implement its suggestions, as may be appropriate.
The DOJ’s Best Practices document outlines various suggestions that companies should follow to ensure that they are acting prudently in protecting against, and planning for, cyber threats and data breaches, including:
- Identifying the company’s “crown jewels” in its networks and acting pre-emptively to create an actionable plan to respond to intrusions, including, among other things, concrete steps to follow and directives about who in the organization will take ownership of different aspects of the response;
- Responding to a data breach after it occurs by:
a) making an initial assessment of the scope and nature of the incident;
b) implementing measures to minimize continuing damage;
c) recording and collecting information;
d) keeping logs, notes, records and data of the event; and
e) notifying appropriate agencies, law enforcement, the Department of Homeland Security, and other third parties (including specific victims) in accordance with applicable regulations
and the various state notification laws.
(See also DOJ Has Some Cybersecurity Do’s and Don’ts, Corporate Counsel, May 6, 2014, Rebekah Mintzer; How GCs And Boards Can Brace For The Cybersecurity Storm, Law360, March 17, 2015.)
Additional guidance to corporate boards has been provided by the National Association of Corporate Directors. (See Cyber-Risk Oversight, Director’s Handbook Series 2014, NACD), https://www.nacdonline.org/) The NACD handbook is quite comprehensive, and provides detailed guidance to boards on how best to fulfill their obligation to protect companies against cyber threats, and to prepare for the eventuality of a cyber incident or data breach. One important aspect that is discussed in the NACD handbook is the critical importance of keeping detailed and regular minutes of all board meetings and committee meetings, so that the work of the board in connection with cybersecurity protection is fully and adequately documented — should evidence of what the board did, when it did it, and why, should become necessary in the event that litigation is filed.
Another resource that is available to corporate boards comes from the National Institute of Standards and Technology (“NIST”), which issued the “Framework for Improving Critical Infrastructure Cybersecurity” on February 12, 2014 (http://www.nist.gov/cyberframework/). Like the NACD publication discussed above, the NIST publication is likewise very detailed, and would provide a great resource to any corporate board seeking guidance on how best to meet its duties to protect its organization from cyber threats.
Finally, helpful guidance to boards in the healthcare field can be found at The Office of the National Coordinator for Health Information Technology (“ONCHIT”), “Guide to Privacy and Security of Electronic Health Information”, Version 2.0, which was issued by ONCHIT in April 2015 (http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf). This publication, once again, offers detailed guidance on how organizations in the healthcare industry can best protect themselves from cyber threats, including HIPPA and other bodies of law that are specifically applicable to the healthcare industry.
As is evident from the discussion above, boards are now, more than ever, open to the risks of regulatory audits and derivative law suits, among other things, arising from real or perceived lapses in cyber security focus. And in the absence of a comprehensive and preemptive federal law to provide guidance, boards are even more left to think creatively in order to fulfill their duties to protect their companies against cyber threats.
But that does not mean that there is no help available. With the DOJ and organizations such as the NACD, the NIST, and the ONCHIT, guidance is available. The more that boards refer to these resources, implement their suggestions (where and to the extent that it makes sense for the particular organization to do so), and document the board’s efforts in implementing cyber security plans and strategies in advance of a cyber incident or data breach, they will ensure the best possible defensive position against regulatory action and litigation. Now is the time for corporate boards to be pre-emptively vigilant in setting up protections and response plans, before a cyber incident or data breach occurs.