TheCorporateCounsel.net

With the SEC continuing to signal that it will finalize cyber disclosure rules sometime soon – and the Enforcement Division already pursuing and cautioning against potential disclosure shortfalls under existing rules – board are taking a fresh look at their approach to oversight on this topic. This Reed Smith memo suggests 10 questions that boards can ask to get useful info about cyber risks:

1. What and where are your company’s technology-based assets?

2. What cyber insurance does the company benefit from and when was it last reviewed?

3. How do your company’s employees and third-party contractors interact with the company’s cyber assets?

4. What are the legal, regulatory and reputational consequences of a cyberattack on your company?

5. Who at the company owns the cybersecurity risk portfolio? Does the business have sufficient capacity to deal with cybersecurity issues?

6. What cyber expertise exists at the company’s board level?

7. In the event of a cyberattack, what is the company’s plan to mitigate its impacts and consequences?

8. What is the reporting structure to the board regarding cybersecurity issues, and at what frequency does the board receive reports on cyber issues?

9. What cybersecurity policies are in place at the company? How does the company ensure that its employees, contractors and other third parties comply with the policies?

10. Specifically, how does the company ensure that online meetings are kept private and secure in the increasingly hybrid working world?

The full memo gives more color on each of these questions. While I’m not sold on the notion that every board needs a cyber committee or cyber-expert, which the commentary to Question No. 6 could be interpreted as suggesting, the question itself is still worth asking – especially if the SEC’s rule on this topic is adopted as proposed. Visit our “Cybersecurity” Practice Area for additional practical resources.

– Liz Dunshee