The recent barrage of high-profile corporate cyberattacks demonstrates that cybersecurity weaknesses pose a serious corporate threat that can inflict tremendous costs on businesses.
Cybercrime costs the world economy an estimated $400 billion each year, and losses to U.S. companies account for more than 25 percent of this global total, according toa report by the Center for Strategic and International Studies.
No business with a digital presence is immune to cybersecurity risks, which include:
- Reputational damage and loss of goodwill
- Penalties for non-compliance with data privacy regulations
- Litigation risks, including consumer class actions and shareholder derivative litigation, among others
- Lack of appropriate insurance coverage for cybersecurity incidents
The recent attack on Sony Pictures and the devastating impact it has had on Sony’s operations provide a frightening example of the risk facing all businesses, even those that might believe themselves to be unlikely targets. As SEC Commissioner Luis A. Aguilar recently noted: “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
It would be unreasonable to expect all corporate directors to be adept at the highly-technical aspects of information security. At the same time, directors’ fiduciary duties to oversee the company’s affairs and monitor risk extend to cybersecurity.
The following steps should provide a framework to ease this tension.
- Designate Cybersecurity Point People and Obtain Adequate Expert Support
- Proactively Asses Cybersecurity Weaknesses
- Develop and Practice a Data Breach Response Plan
- Establish a Clear Chain of Command
- Reevaluate Insurance Coverage
- Continuously Monitor Business Practices and Risks