Board members are increasingly being held personally accountable for security breaches through shareholder derivative litigation. In this case shareholders sue for breaches of a directors’ fiduciary responsibilities to the corporation. The risk of personal liability increases when the board has not engaged properly in the oversight of their corporations’ information security risk. Some of the more notable cases include Target Corporation, Wyndham Worldwide Corporation, TJX Companies, Inc., and Heartland Payment Systems Inc. As a result, the Department of Justice, Department of Homeland Security, Securities and Exchange Commission, Financial Industry Regulatory Authority all identify enterprise-wide information security risk management oversight as a crucial component of a boards fiduciary responsibility to act in good faith, with the care that a responsibly prudent person that makes decisions in the best interest of the corporation (business judgement rule).
Security incidents have a reputational, strategic, financial, and legal impact. Recent high profile attacks discussed in this article demonstrate that security incidents can significantly affect capital and earnings. So how can a board protect itself from information security litigation and demonstrate its compliance with the business judgement rule? Research indicates the following key components for effective information security risk management oversight:
- The board must understand what information security risk is and that it is an enterprise-wide risk management issue. An information security expert should exist on the board and information security risks should be addressed as part of a holistic enterprise-wide governance process that establishes appropriate accountability and oversight. The information security expert can be a member of the board or an external information security expert who provides on-going advisory services to the board.
- The board must allocate the budget and resources necessary for management to design, implement, and monitor a information security risk management framework. The National Institute of Standards and Technology (NIST) issued the Information security Framework as a model for information security assurance.
- The board must oversee information security incident management and resilience. Information security expertise must be readily available to provide real-time support for breach investigation, resolution and notification.
- The board must monitor information security risk and compliance through periodic security risk assessments and metrics. A cyber risk appetite should be defined and relevant metrics developed for information security related activity investment, information security program effectiveness, number of breaches, and information security awareness program effectiveness.
- The board members need to receive on-going information security training.
There is no doubt that boards will continue to find themselves on the frontlines of regulator, class plaintiff, and shareholder scrutiny. Proactive information security risk oversight will both protect the board against claims to meet the business judgement rule as well as strengthen the resiliency of their organizations’ ability to detect, respond, and recover from information security incidents.
