November 16, 2020
November 16, 2020
Cybersecurity is a recurring and critical board agenda item for good reason. Related reputational, regulatory, and business impact risks—all of which are likely to have economic consequences, potentially resulting in regulatory fines, lawsuits, and decreasing stock prices—are just a few key concerns for companies and their leaders. The failure of an organization and its board to fulfill their cybersecurity responsibilities can even create existential risk.
Given the global business environment, the interconnectedness of today’s technology, and corresponding cyber threats, it is vital that boards keep current on news cycle headlines, trending cyber risks, and global regulatory cybersecurity requirements, expectations, and best practices.
Director responsibilities with regard to cybersecurity oversight stem from a general obligation or fiduciary duty of care to oversee risk and, in many cases, are more specifically prescribed by regulatory requirements, strong recommendations, and expectations. Below are examples of such global regulatory responsibilities required by regulatory or law-making bodies in the respective countries in which companies do business.
A failure of the board to properly understand and effectively mitigate cyber risks that results in a cyber incident or damage to the company (reputational or otherwise) may amount to a breach of director duties, exposing directors to personal liability in certain jurisdictions such as the United Arab Emirates, Argentina, Malaysia, and Israel.
Under Europe’s General Data Protection Regulation (GDPR), companies have an obligation to reasonably safeguard data whether in electronic or paper form. Violations of this requirement due to a cyber incident or other factors can result in fines of up to 20 million euros or four percent of a company’s total worldwide annual turnover from the preceding financial year. The GDPR imposes fines for noncompliance only on legal entities, not individual managers. However, based on German procedural laws implementing GDPR locally, the fine is imposed on responsible individuals, which can include a corporate director, rather than the legal entity.
In France and Singapore, criminal sanctions of up to five and two years of imprisonment, respectively, may be applied against an individual responsible, including a corporate director.
The board plays an important role in helping the company it serves balance and oversee security risk appetite, risk mitigation strategy, and strategic business objectives.
To avoid the perils of unfulfilled director responsibilities in relation to cybersecurity oversight, the board should consider the following tips:
Lucy Fato is executive vice president, general counsel, and global head of communications and government affairs of AIG and Nubiaa Shabaka is chief cybersecurity and privacy legal officer and associate general counsel of AIG.
NACD: Tools and resources to help guide you in unpredictable times.