SEC Clarifies Duties of Board of Directors Regarding Cybersecurity and Data Breaches

On June 10, 2014, Securities and Exchange Commissioner Luis Aguilar spoke at a “Cyber Risk and the Boardroom” conference at the New York Stock Exchange. Commissioner Aguilar indicated that public companies need to increase their monitoring of cybersecurity risks, and that the SEC will be reviewing companies’ cybersecurity measures and disclosures to ensure that investors are made aware of relevant risks and cybersecurity incidents.

Since the financial crisis began in 2008, the SEC and corporate commentators have placed an increasing focus on directors’ oversight of corporate risk management. Commissioner Aguilar has now clarified that this focus on risk management should include oversight of a corporation’s data/cybersecurity issues. He also recommended that company boards look to the National Institute of Standards and Technology’s (“NIST”) February 2014 Framework for Improving Critical Infrastructure Cybersecurity. In this Framework, NIST attempts to set out guidelines to allow companies to improve their data and cybersecurity.

Companies are already feeling the pressure to make cybersecurity a priority. Data breaches and other cyber-crimes cost American companies over $10 million in 2013. The impact of cyber-attacks can extend far beyond the direct costs associated with recovery of the affected systems, including damage to consumers and significant reputational harm. In addition, the FTC has begun more than 50 data-security enforcement actions in recent years and data breaches have translated into civil lawsuits.

Civil suits include federal securities actions, consumer class actions, and derivative suits against corporate directors and officers, alleging failure of oversight and inadequate cybersecurity systems led to the breaches. In recent years, high profile cases involving privacy and data security have been filed against Target, TJ Maxx, Heartland Payment Systems, and Google. Most of these cases either settled or have not progressed significantly beyond the pleading stage, and the lack of litigated cases has left companies with very little case law to help guide their attempts to create adequate cybersecurity frameworks. But waiting to learn lessons from such cases as the recent derivative and consumer class action litigation against Target may expose companies to potential liability if they become victim to a cyber-incident.

There are several proactive steps companies can take to protect themselves from both cyber-attacks and related liability:

• Develop an enterprise-wide governance structure for addressing cybersecurity;
• Identify sensitive data and assess its vulnerability;
• Develop effective information security policies and procedures, including employee training and management of both employees and vendors;
• Assess technical and physical data protections on a regular basis;
• Prepare a cyber-incident response plan to a potential breach—this should include protocols for managing investor relations, press releases, communications with regulators/law enforcement, and public disclosures following a cyber-incident;
• Practice the cyber incident response plan regularly; and
• Review existing insurance cover and consider investing in specialty insurance to mitigate cyber-related risks and costs.

Further, in light of Commissioner Aguilar’s comments emphasizing the duty of a public company’s board of directors in ensuring the company’s cybersecurity, directors should consider educating themselves about cybersecurity and making it a part of the board’s regular duties. Some steps that can be taken by the board to lessen risk include:

• Assigning cybersecurity risk assessment to a particular board committee;
• Reviewing the annual budget for privacy and IT security programs;
• Assigning roles and responsibility for privacy and security to executives/staff;
• Receiving regular reports on past breaches and current and future risks;
• Participating in training or consulting an outside expert on cybersecurity to ensure that relevant directors have the required technical understanding to evaluate current and future risks; and
• Ensuring the company maintains and practices its cyber incident response plan.

The stakes of cyber-attacks are high. Companies should work proactively to protect themselves both from possible attack and from the litigation sure to ensue from any such attack.