TheCorporateCounsel.net

Providing practical guidance
since 1975.

January 16, 2025

Cybersecurity: Putting “Board Oversight” Into Practice

If your company suffers a cybersecurity attack, one of the many things you may have to worry about is proving that your board did enough to prevent the incident in the first place. This Skadden memo explains how Delaware fiduciary duties apply to cybersecurity oversight – and suggests approaches to a few common areas of cyber risk:

First, in a world of expanding supply chain risks and “shadow IT,” boards should oversee company processes to track technology assets and understand associated threats. This could be satisfied, for example, via an IT asset mapping exercise, where the organization evaluates the location and interconnections among its various IT devices and networks to understand on what its IT systems depend and what is most critical. The board will want to ensure that management is aware of any technology blind spots, like unmanaged IT assets, and how the company addresses potential blind spots.

Second, regulators increasingly expect companies to adopt clear roles and responsibilities for cybersecurity and IT governance. The chain of command and authority should be clear and should ultimately route up to the board.

Third, boards need to understand to what extent their organization’s IT depends on other companies or specific pieces of technology. Several recent cases have highlighted the ways in which attacks on the software supply chain can have cascading effects far beyond the initial attack. In some sectors, such as financial services, regulators already expect boards to receive summaries or full reports of IT dependency that help pinpoint critical systems or third-party service providers.

If these three dimensions are not accounted for in a company’s governance procedures, officers and directors could face probing questions about the quality and sufficiency of their cybersecurity oversight.

The Skadden team notes that good records are critical to proving that the board acted in good faith to establish and monitor systems for cybersecurity risks, especially since plaintiffs are frequently using books and records demands as a prelude to litigation. They offer these recommendations:

– Consider delegating cybersecurity and data privacy oversight to a board committee and review that committee’s charter to consider specific cybersecurity language.

– Take steps to establish monitoring and compliance systems for cybersecurity issues and pay ongoing attention to them. This may include consulting legal counsel and other experts to identify where risks may arise and how best to monitor them.

– Directors should receive reports from management regarding internal and external cybersecurity events at whatever intervals make sense for a particular company.

– Coordinate with management and advisers regarding compliance with new cybersecurity disclosure rules and regulations.

– Given stockholders’ increasingly frequent demands to inspect corporate books and records as a prelude to litigation, boards should document their efforts and processes in sufficient detail to demonstrate the attention they have paid to understanding and overseeing risk and compliance systems and their responses to any cybersecurity issues that have arisen.

Liz Dunshee