Regulators, including the Securities and Exchange Commission, have increased their focus on the growing threat of cybersecurity. This trend underscores the fact that cybersecurity is not merely an IT issue, but an integral component of a company's broader enterprise-wide risk management structure, necessitating board oversight of cybersecurity risk.

And of course, cybersecurity is a critical consideration in M&A transactions. The risk profile, security protocols and cybersecurity preparedness of any possible target should be carefully evaluated when considering potential business combinations.

Proper board oversight requires the board to be fully informed about both the effectiveness of existing cybersecurity measures and the importance of any cyber incidents that have occurred. Companies must assess whether they have adequate processes in place to ensure that cybersecurity risks and incidents are identified, evaluated and reported to the board in a timely manner.

To manage the risks posed by cybersecurity, companies should focus on five main areas:

1: Take a tailored approach

Cybersecurity risks vary by company. Companies should tailor their approach, taking into account the data for which they are responsible and the types of risks they may face. This is especially the case for personally identifiable information, such as payment or health data, as well as proprietary data and third-party data.

2: Choose the right oversight structure

Board oversight of cybersecurity can be achieved in a variety of ways. In many companies, the audit committee retains primary oversight of cybersecurity risks, consistent with its role overseeing enterprise risks generally. However, in some companies it may make sense to assign primary cybersecurity oversight to a risk committee that oversees a range of the company's enterprise risks, or a technology committee focused on oversight of technology-related risks.

Any oversight structure should include regular meetings with the company's chief information security officer (or equivalent). In addition, there should be appropriate protocols for elevating information about significant cybersecurity risks and incidents that arise between those meetings.

3: Regularly assess the risks

The board (or relevant committee) should evaluate the company's cybersecurity risks and the effectiveness of its controls. To do this, it should use appropriate benchmarks to industry standards and regulatory requirements and maintain an awareness of ever-evolving state-of-the-art cybersecurity technologies and best practices. Directors will need to decide who should make those evaluations (management, internal audit, an external advisor or some combination thereof) and should have a "dashboard" to look at critical issues, monitor the progress of the company and watch for trends.

4: Develop crisis management and incidence response plans

An effective cybersecurity strategy requires expediency in responding to a breach and resilience in addressing and recovering from such a breach. Having a crisis management team in place, including representatives from investor relations, IT, legal and management, allows the company to: (i) respond quickly and effectively to a cyber incident; (ii) gather information in order to craft accurate disclosure; (iii) address shareholder concerns when information is released to the market; and (iv) understand the role of outside counsel in leading forensic investigations and maintaining privilege.

Companies should consider conducting cyber breach simulations to test for weaknesses and prepare personnel for a true incident.

5: Watch for red flags

Directors should be on alert for red flags that might indicate that cybersecurity resources are insufficient and, if appropriate, request an independent assessment of the company's cybersecurity programs. Directors should be mindful of cyber incidents at peer companies and critical vendors, which can provide insight into the types of attack the company might be subject to and highlight potential systems and supply chain vulnerabilities that should be addressed.

While board oversight of cybersecurity is critical, the directors' role is to oversee companies' risk management, not to manage those risks themselves. Directors do not need to know how specific cyber protection and detection technologies work. The board should focus on ensuring that the company identifies and assesses its key risks through adequate policies, procedures, technical resources, personnel and organizational structures. It should also ensure that the company tracks and manages those risks effectively over time, keeps leadership fully informed and discloses incidents and other material cybersecurity risks to the full extent required.

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2018 White & Case LLP