As cyber risk facing companies of all sizes continues to grow, more corporate directors than ever appear to appreciate that their role as fiduciaries requires them to maintain sustained focus on data privacy and cybersecurity just as much as they oversee more traditional elements of enterprise risk management. But even as boards increasingly expand their oversight of cybersecurity programs, there is a growing likelihood that their oversight will be challenged in the courts and second-guessed by regulators. The continued growth in the scope and number of cyber incidents will lead to more scrutiny of a board’s oversight of a company’s preparedness, mitigation, response and resiliency programs. After describing the governing standards, this article proposes 10 questions that directors might ask to help meet these standards while minimizing potential liability for perceived shortcomings in corporate cybersecurity programs.
Duties of Directors
It is well established under corporate law in Delaware and elsewhere that part of a director’s duty of care to become and remain reasonably informed in making decisions and overseeing the company’s business is a duty to oversee corporate risk. Under the familiar Caremark standard set out in In re Caremark International Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996), directors will be liable for a breach of the duty of oversight only if there was a “sustained or systemic failure of the board to exercise over-sight – such as an utter failure to assure a reasonable information and reporting system exists.” As further addressed in Stone v. Ritter, this standard requires proof that directors either “utterly failed to implement any reporting or information system or controls,” or “consciously failed” to monitor or oversee the operations of the system or controls in order to be held liable. 911 A.2d 362 (Del. 2006).
