By Simone Petrella, Chief Cyberstrategy Officer, CyberVista
Even though 94% of corporate executives believe their company will experience a significant cybersecurity incident within the next two years, only 45% of companies have cybersecurity training and awareness programs. To further illustrate this disconnect, nearly one third of companies that have cybersecurity training programs exempt board members and executive officers from the training requirements.
Care, Loyalty, and Good Faith
Whether public or private, a company’s board of directors is bound by a fiduciary duty to operate in the best interests of the business. This fiduciary duty can be broken down into three distinct duties: care, loyalty, and good faith. If a member of the board, or the entire board, is found to have done something that betrays these fiduciary duties, then that individual can be held liable by the company or its shareholders.
The increase in cybersecurity breaches, incidents, and subsequent litigation highlights how board responsibilities extend to protecting data around intellectual property, customer and employee information, and other sensitive information. While Target may have settled its Directors and Officers (D&O) lawsuit related to a cyber breach, there are other suits still pending against the directors and officers of other companies that allege the board breached its fiduciary duty of care and loyalty to the shareholders.
In addition to legal morass, including class action law suits, cyber breaches can also damage companies’ business operations, reputation, and shareholder value and faith.
Cybersecurity Oversight is a Necessity
According to a study by Georgia Tech’s Information Security Center, the number of boards actively addressing computer and information security has increased from 23% in 2012 to 63% in 2015. Another study by Raytheon and the Ponemon Institute reports that just 22% of boards today are being briefed directly by their organization’s security leaders on cybersecurity risk and strategy. More direct dialog must be established between the cybersecurity leaders within an organization and the board.
Cybersecurity oversight at the board level is no longer a leading practice – it is a necessity. Organizations of all kinds, both public and private, are regularly targeted for cyber-attacks. Meanwhile, the media reports a seemingly never-ending series of breaches. What steps are you and your organization taking on cybersecurity? Consider governance-specific cybersecurity training for your board.