Top 5 Questions for Directors Re: Cyber Governance

Privacy Plus+

Privacy, Technology and Perspective 

Top 5 Questions for Directors Re: Cyber Governance.  This week, let’s focus on effective cyber governance, and propose some questions that every director should ask. Directors have a critical role to play in an era where cybersecurity is increasingly a material business risk. Understanding the director’s role and having effective systems in place can make a significant difference in protecting your organization.

Here are five questions every director should ask (and keep asking):

1.    How are we, as a board, ensuring we meet the Caremark standard of care regarding cybersecurity risks?  Meeting the Caremark standard, often referred to as a director's duty of care, is a critical responsibility of every board. The standard, stemming from the landmark case In re Caremark Int'l Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996) recognizes that directors have a duty "to exercise oversight" and to monitor a corporation's operational viability, legal compliance, and financial performance.

Under Caremark, directors may be held personally liable when:

1. the directors fail to implement any reporting or information system or controls; or

2. having implemented such a system or controls, [the directors] consciously fail to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention.

To meet this standard, the board must ensure it has implemented robust systems for receiving, processing, and addressing information about potential risks.  This could involve tasking the audit committee or establishing a dedicated risk committee with specific responsibility for cybersecurity. In such a case, the committee should receive regular, detailed briefings from the Chief Information Security Officer (CISO), other senior IT staff, and external cybersecurity consultants, if necessary. It's crucial that these updates be well-communicated to the board in their entirety and thoroughly understood, so engaging experts to explain complex jargon-filled cybersecurity issues in plain “business English” can be highly beneficial.  Additionally, directors of publicly traded companies will want to consider cybersecurity along with their companies’ SEC disclosures, staying aware that cyber disclosures are not cut-and-paste blurbs, but must be continually accurate representations of the organization’s overall cyber risk.

2.    Do we communicate with our organization’s Chief Information Security Officer (CISO)? As a corollary to meeting the Caremark standard, every director should recognize that having a direct line of communication with the CISO is vital. Too often, security issues are indirectly reported to the board through intermediaries, such as the Chief Information Officer (CIO) or Chief Technology Officer (CTO).  But receiving updates and briefings about the organization’s cybersecurity posture, upcoming initiatives, and potential threats directly from the CISO can help the Board ensure that it makes informed decisions based on full information. If the CISO isn't a regular part of board (or board committee) meetings, it might be time to reconsider this and establish a more direct line of communication.

3.    What is the organization’s indemnification policy for directors? Derivative-liability claims against directors for failing to sufficiently oversee cyber risk are on the rise.  An organization’s indemnification policy should be designed to protect directors from personal liability in the course of their duties on the board. A director should be aware of the extent of this indemnification and the circumstances under which it applies. An effective indemnification agreement should incorporate at least the following elements:

• ·       Precise Definitions: To avoid ambiguity, the agreement should include precise definitions of key terms that determine the scope of indemnification, such as "claims," "proceedings," "expenses," and "losses."

• ·       Advancement of Defense Costs: To ensure adequate protection, the agreement should explicitly state the company's obligation to cover defense costs upfront. This provision should apply to both present and former directors or officers, ensuring comprehensive protection.

• ·       Reimbursement of Fees-on-Fees: The agreement can address the reimbursement of expenses incurred in successfully asserting a claim for indemnification. It is common for directors to be indemnified against third-party suits, but it may be necessary to specify their entitlement to attorneys' fees and costs if they need to sue the corporation to enforce their indemnification rights.

• ·       Determination Process and Time Frames: The agreement should outline a specific time frame for determining whether indemnification is owed. It should also establish a mechanism for the indemnitee to appeal or contest the determination, along with clearly defined procedures and deadlines. This clarity facilitates the efficient resolution of claims and provides certainty to the party seeking indemnification.

• ·       Priority: In situations where a director or officer has indemnification rights from multiple sources (e.g., private equity fund or sponsor), both parties should specify the relative priority of each indemnitor. This ensures that the indemnified individual understands the order in which they can seek indemnification from different parties.

• ·       Insurance: The indemnification agreement should require the company to provide Directors and Officers (D&O) liability insurance. This insurance should offer the same level of protection as the most favorable coverage provided to the company's current directors and officers, as well as its affiliates.

By incorporating these elements, a well-drafted indemnification agreement can provide comprehensive protection and clarity for directors and officers, ensuring their rights are safeguarded in various scenarios. Do beware if there are statutory limitations in your jurisdiction, and make sure you understand them and how they may affect the indemnification policy.

4.    How comprehensive is the organization’s Directors & Officers (D&O) insurance, and does it provide adequate protection for me in my role as a Director? D&O insurance is another critical layer of protection for directors. Understand the coverage of the policy, the limits, the types of claims it covers, and how it interacts with the company's indemnification provisions. The goal is to ensure that you have sufficient coverage to protect yourself against potential legal actions arising from your role as a director. Keep in mind that your organization’s CISO may be asking the same questions, and you can review our previous post for more details about D&O considerations by clicking the following link:

https://www.hoschmorris.com/privacy-plus-news/top-5-questions-every-ciso-should-ask

5.    Is the Board promoting a culture of cybersecurity within the organization? As a director your actions can significantly influence the company's culture. Promoting a culture of cybersecurity, where every officer, director, employee, and contractor understands their role in maintaining security, can significantly reduce the risk of cyber threats and help demonstrate the “reasonableness” of your organization’s cybersecurity posture. Consider whether the board is setting the right tone and if cybersecurity is being integrated into all aspects of the business.

Ultimately, directors are responsible for the governance of their companies, and in today's digital age, this includes cybersecurity governance. In fact, as of just this week, the SEC now requires public companies to disclose material cybersecurity incidents, along with annual information regarding their cybersecurity risk management, strategy, and governance. The SEC’s new rules aim to standardize and enhance the usefulness of cybersecurity disclosures. Their Implementation begins 30 days post-publication in the Federal Register:

https://www.sec.gov/news/press-release/2023-139

Going forward, by keeping these five considerations in mind, directors can better fulfill their responsibilities, protect their organizations from cyber threats, and protect themselves from personal liability. Always remember that cybersecurity is not just an IT issue—it's a business issue that requires the board’s attention and understanding.

--- 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.