Cybersecurity Challenges for Boards of Directors

Why Directors Need to Take Action!

The COVID-19 pandemic has put business cybersecurity under the microscope as boards of directors all over the world move to to hold meetings remotely. The topics they are discussing: layoffs, government loans and possible restructuring are just the sort of inside info that less scrupulous investors and business competitors would love to have.

What’s more, boards are also meeting more frequently, notes a recent Bloomberg Law article “Corporate Boards Face Cyber Test as Covid Forces Meetings Online,” raising concerns about the secure sharing of documents and notes. It’s little wonder that online meeting platform Zoom has recorded a jump in active daily users from 10 million to 200 million over the past three months.

As a director, your duty of care makes you responsible for cybersecurity, no matter the size of your business or the industry in which you work. Criminals in cyberspace attack all the risks businesses face: corporate account takeover, identity theft, stolen data or intellectual property.

Pragmatically, it is a matter of when, not if, you’ll face a problem. If you have already been hacked, you need to assume you will be hacked again.

Cybersecurity is the word which asks directors: “What are you doing to protect shareholders from unseen criminals?” Like other enterprise-level risks, a systematic approach is needed to deal with these complex issues. The Board can no longer delegate this responsibility to an officer and ignore it.

Future Cybersecurity Risks for Boards to Address

When you build a cybersecurity plan, you need to think about what comes next. There are three likely areas to focus on:

(1) Increased regulation to protect consumers and investors,

(2) Changes in M&A practices, and

(3) New risks created by the Internet of Things (IoT).

Now is the time to consider how these future trends increase your responsibilities to your investors.

Regulations For Consumer Protection

Governments issue numerous regulations designed to protect consumers and investors. In March 2017, for example, New York State raised the bar by approving a new cybersecurity law. (23 NYCRR 500)

While this law targets financial institutions, it has implications for other industries. If you do business with consumers in New York, you need to be aware of new restrictions and requirements on your commercial activity. Expect other states to follow in New York’s footsteps.

If you do business with EU residents, then you need to understand the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

The GDPR creates a comprehensive framework for consumer protection. Regulators enforce these rules by fines of up to 4% of global revenue (with some limits).

Regulations For Investor Protection

The SEC promulgated its own host of regulations that apply to market participants, exchanges, brokers and RIAs.

As early as 2011, the SEC provided guidance on disclosures and what must be in MD&A reports. If you are a public company director, you are already responsible for these mandates. If you are a director at a private company, you need to assess which of these mandates to consider as best practices to adopt for the protection of your investors.

Directors Need More M&A Diligence

In the world of M&A: valuations, cybersecurity impacts certainty of close and the post-close transition process. Here is a short list of questions to consider:

• How much more will it cost to assess the seller’s cyber readiness?
• If you are unsure of the seller’s preparedness, do you reduce the price or walk away?
• If you can’t walk away, how do you hedge the risk?
• What additional post-close costs are needed for cyber security?
• How should you rework the representations and warranties?
• Should you increase the holdback or push out the term of the holdback?

Cybersecurity needs to become a component of a strong diligence process. It will require judgment on when to bring in technical resources, as well as how to measure new types of risk.

The IoT Battlefield

The Internet of Things (IoT) is here. It encompasses everything from household items (TVs, coffee machines) to industrial, commercial and public infrastructure. Many such devices are “dumb” (in a data sense); they provide data but have no security features.

The IoT includes numerous critical and intelligent devices as well. It’s a lot to take in, and the fallout is just as difficult to predict. As with Y2K, we just don’t know what may happen.

These threats require both offensive and defensive analysis. Criminals could attack your revenue-producing assets to extort profits or damage your reputation. Alternatively, your “dumb” devices can be taken over as zombies to attack websites and other targets. Neither is good.

Consider the historical evidence. The Bowman Avenue Dam in New York was hacked in 2013. Stuxnet was deployed in 2010. State actors conducted these attacks, it’s true, but they give perspective to what a motivated, well-equipped crime syndicate could do. The 2016 Dyn DDoS attack took down a big part of the Internet.

The IoT is considered to be a potentially major new revenue stream for many companies, but the IoT is a new frontier. What risks might you be accepting without fully comprehending first? As the revenue from IoT expands, there will likely be incidents which demand new regulations to protect the public. How does this impact your business strategy and capital expenditures?

What do you, as a director, need to do about it?

What Can Directors Do About Cybersecurity?

Directors must protect their shareholders’ tangible and intangible assets, regardless of the form of the threat. Directors need to initiate protective actions and provide on-going oversight for cybersecurity. These efforts should start by committing to a methodical course of action. The path forward starts with:

• Accept the situation
• Get educated
• Put the issues into context
• Assess your vulnerabilities
• Evaluate the risks
• Estimate the costs
• Decide to accept, avoid, mitigate or transfer risks
• Get help when needed
• Test your readiness
• Make cyber security a regular board agenda item

Following this path forward is why shareholders elect directors — to protect their vital interests.

Directors do not need to be experts in cybersecurity, but they need to decide how to accept, avoid, mitigate or transfer the risks. Setting a plan, directing management and holding staff accountable are the board’s responsibility.

[Editor’s Note: To learn more about this and related topics, you may want to attend the following webinars: Cybersecurity and Data Privacy 2019 and Data Privacy Compliance. This is an updated version of an article first published May 9, 2017.]

©All Rights Reserved. June, 2020.  DailyDAC™, LLC d/b/a/ Financial Poise™