Excerpt from this piece by David X Martin and Roel C. Campos for the law firm of Hughes Hubbard & Reed, where Campos is partner.
How do directors cope with their obligations to oversee cybersecurity?
Many directors understand they have a responsibility to oversee cybersecurity at their companies. But more puzzling is what they should be doing now to contribute to the board’s effort. What are the right questions they should be asking?
On September 7, 2017, one of the nation’s largest credit monitoring agencies, Equifax Inc., announced that over 143 million customers’ accounts had been breached in what may be the most significant cyberattack to impact U.S. consumers to date. Although cybersecurity is not a new challenge for boards of directors, the sheer scope and volume of recent events suggest that we may be experiencing a watershed moment when it comes to directors’ responsibility to oversee, and managers’ duty to implement, adequate cybersecurity systems at companies. Following Equifax’s public disclosure of the cyberattack affecting its systems, observers learned a good deal about what potentially went wrong at the company—including a series of red flags that senior managers and boards of directors at other companies may learn from. Taken together, the breaches reveal a series of lessons and warnings that boards of directors simply cannot afford to overlook anymore.
Bonus: Directors’ Cyber Checklist