Ten Cybersecurity Concerns for Every Board of Directors by John Reed Stark and David R. Fontaine*
Every board now knows its company will fall victim to a cyber-attack, and even worse, that the board will need to clean up the mess and superintend the fallout.
Yet cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses. These include digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies,fulfillment of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan – and the list goes on.
And besides the more predictable workflow, a company is exposed to other even more intangible costs as well, including temporary or even permanent reputational and brand damage; loss of productivity; extended management drag; and a negative impact on employee morale and overall business performance.
So what is the role of a board of directors amid all of this complex and bet-the-company workflow? Corporate directors clearly have a fiduciary duty to understand and oversee cybersecurity, but there is no need for board members (many of whom have limited IT experience) to panic.
Below we compile a list of ten cybersecurity considerations that provide a solid bedrock of inquiry for corporate directors who want to take their cybersecurity oversight and supervision responsibilities seriously. This “cybersecurity top ten list” provides the requisite strategical framework for boards of directors to engage in an intelligent, thoughtful and appropriate supervision of a company’s cybersecurity risks.
By using these ten concerns as a guide, boards of directors can not only become more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item, at the top of a board’s oversight agenda.