Beruflich Dokumente
Kultur Dokumente
[2014]
Strengthened Director
Duties of Care for
Cybersecurity Oversight:
Evolving Expectations of
Existing Legal Doctrine
Brad Lunn 1
It is difficult to identify when an existing
order will change, and when the combined effects
of multiple, seemingly independent forces will
collude to bring about something new. We are
reminded of this when a disruptive technology
enters a new field. Existing practices give way to
new realities and a return to the comfortable "old"
way seems unimaginable. While corporate law
practitioners have become comfortable with the
substantial discretion provided directors under
Delaware's interpretations of director duties and the
business-judgment rule, a transformation of
expectations concerning director oversight of
cybersecurity and associated director liability is
'Brad Lunn is an executive in a leading Aerospace & Defense firm, and a
founding member of the Defense Security Information Exchange (DSIE). An
experienced board member, he served on a national governing body of the US
Olympic Committee and was Audit Chair. He completed Harvard's flagship
program on Corporate Governance and is chief executive of a non-profit
organization focused on cyber-security oversight. Special thanks for the
helpful advice of Professor Lynne Dallas of USD Law School. All errors are
the author's alone.
[2014]
currently underway.
To date, board oversight of
cybersecurity has been less than effective. The
National Association of Corporate Directors'
("NACD") 2012 conference featured a presentation
that described an "IT confidence gap" and noted
most directors between age 60 and 65 spend a
majority of their professional lives in the pre-digital
era. The NACD presentation also disclosed that less
than 1% of Fortune 500 directors have been or are
currently chief information officers (CIO's) and that
IT is highly technical and difficult for most
directors to understand. 2 Moving forward, corporate
directors are well advised to anticipate that
emerging technology forces and corporate law
precedent will pressure courts and regulators to
require directors to oversee cybersecurity with
vigilance similar to that expected of legal
compliance professionals. In this new era, increased
cybersecurity-oversight duties and director liability
are certain to lead to dramatic and important
changes in corporate law. Their time will comethe question is when and by what means.
I. The Importance
Corporations
of
Cybersecurity
to
[2014]
[2014]
7Adobe warns 2.9 million customers of data breach after cyber-attack, THE
GUARDIAN, Oct. 3, 2013, availableat
[2014]
persistent,
so
defenses
must
evolve.
A
cybercriminal, however, could transfer all funds out
of a corporate bank account, access and steal
corporate intellectual property, access confidential
client records, steal and use customer credit card
and banking files, alter corporate accounting
records, access and adjust medical files, change
grades, open flood gates at a dam, turn off
municipal water pumps, or worse. While it's
unlikely a common criminal could enter a building
and take millions of customer records, a
cybercriminal can leverage speed-of-light tools to
their advantage, and hide for years in a cloak of
distant unnamed servers in multiple jurisdictions,
and erase a decade of brand building overnight. The
very fact that these crimes occur regularly 8 and
often involve enormous economic value makes it
reasonable for corporate directors to pay close
attention. Said another way, it might be challenging
to assert that a reasonably informed board is
unaware of today's substantial cybersecurity issues
affecting organizations of all kinds.
III. A Complex and Regulatory Environment
The legal profession is now recognizing that
cyber threats are widespread and serious. The
American Bar Association published its first
handbook on cybersecurity in 2013. It states,
"according to PriceWaterhouseCoopers, hacking
8The ABA
[2014]
Id. at 173.
[2014]
[2014]
computer system also will have a material effect on the business and
operations of these companies. Based on the importance of computer systems
to most businesses, companies are required to disclose the risks associated
with installing, operating, maintaining and replacing or upgrading these
systems, at least to the extent that these risks are unique in certain respects to
the specific company or could have a materially adverse effect on the
company's business. The risks to these computer systems include
cybersecurity, and events related to its failure to protect such systems from
internal and external threats. This disclosure obligation, coupled with the risks
[2014]
[2014]
Theory
and
Foundational
[2014]
[2014]
at 112.
22Potterv. Pohlad,560 N.W.2d 389, 392 (Minn. Ct. App. 1997).
[2014]
25
This
[2014]
26
This
information
sufficient
to
allow
[2014]
2006).
[2014]
[2014]
Systematic
disregard
of
important
information by act or omission is not insulated in
certain situations. "The widely cited Caremark
decision analyzed the circumstances in which
directors might be held personally liable for failures
to exercise sufficient oversight over corporate
affairs. That decision articulated a standard of
liability keyed to whether the plaintiff demonstrates
'a sustained or systematic failure of the board to
exercise oversight-such as an utter failure to
attempt to assure a reasonable information and
reporting system exists.' 33 Such rulings suggest
that a board cannot wait for a red flag, and that it
has an affirmative obligation to be well informed.
While a director is entitled to rely on management
reports, if such reports are inconsistent with what a
reasonable director knows to be true, directors are
not entitled to rely on reports they reasonably
suspect are inaccurate. The concept of boards using
a reasonable "information or monitoring system"
supports the basics of corporate governance,
specifically directors' duty to be well informed,
particularly on factors that in and of themselves
should grab reasonable directors'
attention.
Corporate legal doctrine requiring directors to have
an information system allowing them to gather
needed information aligns to negligence theory in
terms of reasonable foreseeability; thus, the
governance and negligence doctrines fit together
" Gorris, Hamennesh et al., Delaware CorporateLaw and the Model
Business CorporationsAct: A study in symbiosis, Widener Law School Legal
Studies Research Paper Series no. 11-15, March 25, 2011 SSRN.
[2014]
15 Memorandum,
[2014]
[2014]
what is
a cybersecurity
red flag?
The
A. Hypothetical Scenario
Let's place ourselves in a situation of our
own design. You are a director for ABC Company
and are on the audit committee. ABC is a successful
public company. The board has not received a
briefing on cybersecurity as a part of its oversight,
nor is cybersecurity discussed in the busy agenda.
Cybersecurity is not on the annual board agenda.
The CEO advised the board that outsiders accessed
the company's network and early indications
suggest information was stolen. He also noted that it
seems like the same group that has accessed the
system the last three times over two years but
nothing was stolen in those events. You were not
previously aware of these "other" incursions. What
are the governance issues here? (Ignore for a
[2014]
[2014]
[2014]
that
the
following
five
factors
appropriate
be
cyber
[2014]
[2014]
even if such
If the loss probability multiplied by the lossevent value exceeds the burden (mitigation costs),
such mitigations should be implemented. The
greater the gap, the more important the matter
should be to the company. The existence of some
ultra-high-value risks warrants special consideration
on a case-by-case basis, since some losses cannot be
permitted (withstood) under almost any situation.
Special care must be afforded to these special cases.
Given that the burden of basic director education
and oversight is relatively low, it is difficult to
assert that such investments are not reasonable if
high-value losses are possible.
C. Recommendations
How many cyber red flags are too many?
Can a board wait until red flags emerge before
liability attaches? At what point is a line crossed
that escalates facts from "unpredictable event" to
"basic negligence" to "lack of good faith"? The
existence of cyber red flags is not, in itself, an
indication of director liability or ineffective
oversight, but rather paints an emerging picture of
the challenges facing the board; how the board
discharges that challenge, or its failure to do so,
creates the breach to which personal liability may
attach. It depends on the circumstances, but these
simple factors will provide directors, regulators and
[2014]
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.
[2014]
VII. Conclusion
Corporate law will evolve to hold corporate
directors more accountable for cybersecurity
oversight. Serious cybersecurity threats are a
common and growing risk to corporate value, and
breaches or failures to protect these computer
systems and their data can have grave consequences
to a firm's future. Directors have duties of care and
loyalty, and the obligation to act on a well-informed
basis on important issues impacting corporate
affairs. Regulations mandating everything from
disclosure of risks to quick disclosure of negative
events, to specific technical requirements for
system/data security are growing, and this is well
known to reasonably well-informed directors.
If a board is found to have systematically
ignored such cybersecurity red flags, or utterly
failed to design an information system to ensure that
the board is well informed with respect to
cybersecurity, and if such failure is a contributing
cause of corporate loss, the author believes that a
reasonable court would find director breach of the
duty of care and loyalty, to which director liability
would attach. The point is that directors are
[2014]
" This article is not legal advice. Engage appropriate legal council.