The World Economic Forum lists cybersecurity breach as one of the five most serious risks facing the world today, with an estimated global cost reaching $6 trillion by 2021. As such, many corporations are beginning to realize that vigilance against cyber threats needs to be a priority rather than an after-thought in their risk management programs. Consequences of potential cyberattacks extend far beyond a corporation’s IT department and can envelop a company’s reputation and livelihood in a matter of minutes. Considering the value at stake and with their required fiduciary duties in mind, boards of directors should heed guidance from the SEC and regulatory bodies, legal experts, and recent Delaware caselaw to establish concrete and specific plans to minimize risks on the cybersecurity front.
In re Caremark Int’l Inc. Derivative Litigation (“Caremark”) provides a broad point of reference for director duties in the arena of corporate risk and legal liability. According to Chancellor Allen, a director’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists” Chancellor Allen explained that the depth of such an information system is left to the business judgment rule but nonetheless, a duty of good faith exists.
Nearly 20 years after Caremark, the Delaware Court of Chancery examined a derivative action suit where stockholder plaintiffs of Capital One Financial Corporation (“Capital One”) alleged that the directors breached their fiduciary duty of loyalty and unjustly enriched themselves while consciously disregarding oversight responsibilities within the corporation. The court clarified that in order to be successful in bringing a Caremark oversight claim, plaintiffs must establish in their pleading, with particularity, “a sufficient connection between the corporate trauma and the board.” With this connection, according to Chancellor Bouchard, plaintiffs can plead that the board was aware of corporate misconduct, and acted in bad faith by “consciously disregarding its duty to address that misconduct.” The legal standards set forth in Caremark and Reiter are notoriously high standards and extremely difficult ones for plaintiffs to overcome to be successful in a judgment. Chancellor Allen noted this in Caremark when he wrote that proving directors breached their duties “is possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”
The difficult legal standards for plaintiff stockholders to overcome should not give boards a false sense of security when it comes to fulfilling their duty of oversight, a component of the duty of loyalty, on the cyber-security front. The SEC is more involved than ever in this expanding area of the law. Earlier this year, the SEC issued guidance extensively focused on disclosure requirements of cyber-related issues. The guidance stressed the importance of timely disclosure to investors about all cyber-related incidents. Further, the SEC discussed board oversight risk as it relates to cybersecurity. Companies are required to disclose directors’ roles in the risk oversight of the company such that this disclosure “should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.” To the extent that cybersecurity risks are material to a company’s business, it is the position of the SEC that these discussions include the board’s role in managing cybersecurity risks.
While the SEC provided no concrete policies and procedures for boards to model in recent guidance, it strongly suggested a hands-on approach that it believed boards must take due to the broad duties that boards owe to corporations, generally. In 2014, citing the financial crisis of the 2000s, former SEC Commissioner Luis Aguilar discussed the possibility that boards may not have been doing enough to manage risks within their companies and that oversight contributed to “unreasonably risky behavior that resulted in the destruction of untold billions in shareholder value.” The SEC amended disclosure requirements about a board’s involvement in risk management as a result of the crisis, and according to 2013 proxy filings of S&P 200 companies, boards are almost universally taking full responsibility for the risk oversight within their corporations. While it is reassuring that corporations are increasingly concerned with prioritizing risk management, it’s not immediately clear if a pattern exists that would suggest that boards are also including cybersecurity risks in their overall risk management strategies.
For example, following Target’s security breach during the 2013 holiday shopping season affecting nearly 41 million consumer payment accounts and contact information for 60 million Target customers, prominent proxy advisory firms called for shareholders to oust several directors for failure to do enough “to ensure Target’s systems were fortified against security threats.” Target admitted that its staff declined to act on the previous alert of potentially malicious activity. As a result, Target found itself the target of ongoing litigation and congressional hearings resulting in an ultimate payment of an $18.5 million multistate settlement.
The aftermath of the Target breach, according to Aguilar, should put directors “on notice to proactively address the risks associated with cyber-attacks.” The terms of Target’s settlement require the corporation to: develop and maintain a comprehensive information security program; employ an executive or officer responsible for executing the program; hire an independent expert to conduct a security assessment; maintain and support data security software on the company’s network; segregate the cardholder data from the rest of the network; and take steps to control network access, including password rotation policies and two-factor authentication. Some of these requirements directly involve corporate governance at the board level, thus providing an outline of acceptable steps boards can take to mitigate risks and fulfill their duty of loyalty, including the duty of oversight. Some of these requirements mirror those suggested by legal experts in the field of cybersecurity and corporate governance. Additional suggestions include periodic review of data security disclosures to ensure SEC compliance, periodic review and upgrade of appropriate insurance coverage to protect in the event of an inevitable data breach, assessing whether the company’s executive management team possesses awareness of the cross-functional characteristics of cyber risk and does not view it as a risk handled only by the IT department, looking to legal counsel to oversee cybersecurity program formulation, and most importantly, for the board to remain directly involved in oversight responsibilities, rather than assigning to a specialized risk committee. If boards do not have a cybersecurity expert, they should be proactive and engage an external expert to provide this service or bring an experienced professional on board. In fact, a bill introduced in the U.S. Senate, Cybersecurity Disclosure Act of 2017, would require companies to disclose in their SEC filings whether or not they have a cybersecurity expert on their boards and if not, what steps are being taken to fulfill this gap.
In conclusion, cyberattacks are very tangible threats and are more of a foreseeable reality than an existential risk. In fulfilling their duties owed to the corporation like those discussed in Caremark and Reiter, and to minimize potential personal liability, directors and officers need to face cybersecurity issues just as seriously as financial audits and other corporate governance issues, and with as many resources as would be traditionally allocated to those issues deemed crucial to the corporation’s success. Consequences of a cybersecurity breach are extremely costly and continuous, and as such, it is far more prudent for corporations to make the initial investment for prevention via comprehensive policies and procedures than to spend those resources litigating after an attack, while also fighting to save the company’s reputation and perhaps, one’s position within the board.
Kacee is a 4L Evening Division student, graduating in December of 2018. She currently works full-time at Century 21 Gold Key Realty as Director of Relocation & Business Development. She is a recipient of the Lucinda Peipher Memorial Award for Excellence in International Law/International Business Transactions and a past participant of the Widener University Delaware Law School Dignity Rights Practicum.