Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search
Publications
Securities & Derivative Litigation

SEC Clarifies Duties of Board of Directors Regarding Cybersecurity and Data Breaches

By Candice M. Tewell
July 2014
Share
Print this page

On June 10, 2014, Securities and Exchange Commissioner Luis Aguilar spoke at a “Cyber Risk and the Boardroom” conference at the New York Stock Exchange. Commissioner Aguilar indicated that public companies need to increase their monitoring of cybersecurity risks, and that the SEC will be reviewing companies’ cybersecurity measures and disclosures to ensure that investors are made aware of relevant risks and cybersecurity incidents.

Since the financial crisis began in 2008, the SEC and corporate commentators have placed an increasing focus on directors’ oversight of corporate risk management. Commissioner Aguilar has now clarified that this focus on risk management should include oversight of a corporation’s data/cybersecurity issues. He also recommended that company boards look to the National Institute of Standards and Technology’s (“NIST”) February 2014 Framework for Improving Critical Infrastructure Cybersecurity. In this Framework, NIST attempts to set out guidelines to allow companies to improve their data and cybersecurity.

Companies are already feeling the pressure to make cybersecurity a priority. Data breaches and other cyber-crimes cost American companies over $10 million in 2013. The impact of cyber-attacks can extend far beyond the direct costs associated with recovery of the affected systems, including damage to consumers and significant reputational harm. In addition, the FTC has begun more than 50 data-security enforcement actions in recent years and data breaches have translated into civil lawsuits.

Civil suits include federal securities actions, consumer class actions, and derivative suits against corporate directors and officers, alleging failure of oversight and inadequate cybersecurity systems led to the breaches. In recent years, high profile cases involving privacy and data security have been filed against Target, TJ Maxx, Heartland Payment Systems, and Google. Most of these cases either settled or have not progressed significantly beyond the pleading stage, and the lack of litigated cases has left companies with very little case law to help guide their attempts to create adequate cybersecurity frameworks. But waiting to learn lessons from such cases as the recent derivative and consumer class action litigation against Target may expose companies to potential liability if they become victim to a cyber-incident.

There are several proactive steps companies can take to protect themselves from both cyber-attacks and related liability:

  • Develop an enterprise-wide governance structure for addressing cybersecurity;
  • Identify sensitive data and assess its vulnerability;
  • Develop effective information security policies and procedures, including employee training and management of both employees and vendors;
  • Assess technical and physical data protections on a regular basis;
  • Prepare a cyber-incident response plan to a potential breach—this should include protocols for managing investor relations, press releases, communications with regulators/law enforcement, and public disclosures following a cyber-incident;
  • Practice the cyber incident response plan regularly; and
  • Review existing insurance cover and consider investing in specialty insurance to mitigate cyber-related risks and costs.

Further, in light of Commissioner Aguilar’s comments emphasizing the duty of a public company’s board of directors in ensuring the company’s cybersecurity, directors should consider educating themselves about cybersecurity and making it a part of the board’s regular duties. Some steps that can be taken by the board to lessen risk include:

  • Assigning cybersecurity risk assessment to a particular board committee;
  • Reviewing the annual budget for privacy and IT security programs;
  • Assigning roles and responsibility for privacy and security to executives/staff;
  • Receiving regular reports on past breaches and current and future risks;
  • Participating in training or consulting an outside expert on cybersecurity to ensure that relevant directors have the required technical understanding to evaluate current and future risks; and
  • Ensuring the company maintains and practices its cyber incident response plan.

The stakes of cyber-attacks are high. Companies should work proactively to protect themselves both from possible attack and from the litigation sure to ensue from any such attack.

Related Articles

2025
Feature
Financial Services
New Administration Outlook: Helping You Navigate Post-Election Uncertainty in 2025 and Beyond Read More External Link
05.22.25
Insights
White Collar, Investigations & Government Controversies
DOJ Criminal Division Reveals New White-Collar Crime Enforcement Priorities and Corporate Enforcement Policies Read More
04.02.25
Insights
Litigation
Delaware Enacts Sweeping Changes to the Delaware General Corporation Law Read More
DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO
SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.