The Responsibility of a Company’s Board of Directors When It Comes to Cybersecurity

A recent article from Above The Law, a legal news website, did a great job of explaining why company board members should treat cybersecurity as a major risk to the business or organization.

All too often, the assumption by boards is that cybersecurity is the CIO’s job and that’s that. The issue is taken care of and they move forward. Forget the fact that this is actually a bit of a conflict of interest because people generally tend not to tell on themselves if things aren’t quite right; it’s just human nature. The bottom line is that cybersecurity threats are a huge risk to the business and need to be treated as such.

Once a company is breached and word gets out, it can snowball into an all-consuming disaster. There have been plenty of examples in the news over the years of public relations nightmares that have to be managed, of lawyers having to be paid, of systems needing to be upgraded, of fines have to be paid and so on.

Think Target, Home Depot, the Office of Personnel Management and, most recently, Yahoo!

Many times we’ve had discussions with C-Suite executives and board members on cybersecurity and the first thought that often comes to mind for them is, “That’s the CIO’s office responsibility, you should to talk to them.” This misconception should raise red flags for the rest of the board and the C-suite.

The article highlights eight key elements of a board’s responsibility for cybersecurity issues in the company:

—Board minutes should reflect discussion of cybersecurity and privacy issues;

—The whole board should be involved;

—Don’t have a designated “cyber expert” board member;

—Use current events to frame the discussion;

—Trust, but verify;

—Hire vendors and other third parties to evaluate and enhance your cybersecurity framework;

—Insurance isn’t a panacea;

—Work with your non-legal colleagues to educate and inform the board.

A failure to responsibly treat the importance of cybersecurity that it deserves can come back to haunt a board when it comes to a company’s valuation.

As an example, look no farther than the proposed $4.8 billion purchase of Yahoo! by Verizon. Following the 2014 hack by what’s believed to be an Eastern European gang, Verizon is backtracking on the purchase price — and perhaps the deal altogether — with media reports placing the discount Verizon may be seeking at $500 million to $1 billion.

That’s a staggering loss in value that’s the result of shoddy due diligence on the part of Yahoo! and its board of directors. An article in Mergers & Acquisitions had this say about the treatment of cybersecurity in the corporate world: “Boards and companies, in general, have less of an understanding about cyber risks than they should, which leads to gaps in their overall due diligence.”

Managing risk is as much an imperative for the CIO as it is for the C-Suite and the board of directors. Anything less than that is negligence.