The Dangers of Ignorance in the Boardroom

A worldwide survey of 10,000 executives in 154 countries by Forbes revealed that corporate security, including cyber-security budgets, had been reduced at a time when cyber breaches were rising dramatically. The survey found that corporate boardrooms were either ignorant of the risks, or demonstrating “ostrich-like” behaviour and ignoring the risks of cyber-security breaches. These results are especially of concern given the ever-increasing number, severity and sophistication of cyber-attacks in a treadmill of expanding sectors including retail, finance, education, national defense, health care, and other levels of government.

This particular survey begs the question: Does the corporate director have a fiduciary duty of oversight with regard to cyber-security and its relation to risk management functions within the organization? This article will focus on key cyber governance questions that responsible Directors must ask corporate officials as part of their duties to assure an effective corporate information and reporting system. Failure to fulfill this fiduciary duty could result in massive class-action lawsuits for losses incurred caused by non-compliance with such duties.

Actual and potential risks demand vastly increased Board oversight of the cyber-security governance
The news of actual cyber-security breaches should scare every corporate board in the world. In just one of a multitude of high profile examples, an estimated 40 million credit and debit cards were stolen from ­Target Corporation – over 70 million personal data items are now in the hands of hackers. The cost to the company just in terms of the attack is in the hundreds of millions, and potentially billions in the face of lost reputation and trust. Proxy advisor ISS has advised against the re-election of all of Target’s audit and CSR committees, arguing that these committees failed in their duties to monitor the risks to sensitive information.

Class-action law suits against Target and other companies arising out of cyber security breaches have argued the directors of these companies failed to take reasonable steps to maintain the personal and financial information of customers in a manner that met their fiduciary duties and kept such information secure.

In countries with developed corporate governance laws, such as the U.S. and Canada, case law typically imposes a fiduciary duty of good faith to assure that the corporation’s information and reporting systems are adequate, and that failure to meet this fiduciary duty can result in ­directors being liable for losses caused by non-compliance with the applicable legal standards. While directors can still plead in defence of such liability for cyber-security breaches that they exercised informed and good faith business judgment, they must provide evidence that such judgment was indeed exercised and not left to other officials in the corporation.

A leading benchmark in the U.S. is the 1996 Caremark decision, which established the basic duty of directors to attempt to ensure that corporate information and reporting systems are adequate and that failure to do so, under some circumstances, may render directors liable for losses. The facts presented concerned failure of the directors to place adequate internal controls – the lack of which enabled employees to commit criminal offences, and resulted in substantial fines to the company.

In Canada, decisions of the courts have made it clear that boards and even directors who resign after there have been breaches of fiduciary duties can’t escape liability if they have not exercised proper judgement when relying on external experts without proper supervision and directions to external experts. While such cases have dealt with excessive compensation, the reasoning could apply also to relying on inadequate external advice on cyber security threats.

In light of this critical, fiduciary duty to exercise oversight over the corporation’s cyber security governance system, the table below highlights some of the more basic critical information required, and questions and that Boards must demand be answered by corporate officials or external experts.

In addition to these questions, boards should also ask if the company should consider adopting the NIST cyber security framework released on February 12, 2014 by the US Department of Homeland Security. According to the website of the NIST the Framework was created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cyber-security-related risk.

The list of critical questions below could be much longer than these six, but it has been shortened in the knowledge that the majority of existing board directors are not experts in cyber security and will need more of general signposts towards fulfilling their fiduciary duties on the growing multitude of cyber threats that face their companies in the globalized wired world. They are expected to understand that asking the right questions is critical for the company and its internal and external experts to then provide the right answers.

___
Professor Errol Mendes is a well known lawyer, professor at the University of Ottawa, and a consultant on corporate ethics, governance and compliance. He has acted as an  adviser to the UN in these areas. emendes@uottawa.ca
© FrontLine Security 2014