TheCorporateCounsel.net

This Skadden memo offers insights into emerging board governance practices aimed at providing appropriate oversight to corporate cybersecurity programs.  This excerpt notes that boards are starting to look beyond the already heavily burdened audit committee when deciding who should take the lead for the board on cybersecurity oversight:

There is no one-size-fits-all approach. What is important is to be thoughtful about which body has the time available to assess these issues on an on-going basis and will be able to bring relevant expertise to the challenge. Responsibility could be given to the audit committee, since that body usually oversees controls of various sorts and general compliance with legal and regulatory requirements.

But, where cybersecurity issues are central to the business, some companies have created a technology committee rather than saddle the audit committee with additional work, since it typically already has a lot on its plate. Such a technology committee is usually dedicated to overseeing the strategy, performance and compliance of all the company’s technology, positioning this committee well to make cybersecurity governance decisions and address newly emerging challenges associated with other technology issues such as artificial intelligence deployment.

Other companies have a risk committee dedicated to identifying, assessing and mitigating risks, including cybersecurity risks, across the company. In short, there are many approaches to how a board may structure its cybersecurity oversight, yet it is ultimately the board’s responsibility to determine which structure or body would best serve the company.

The memo also provides an overview of directors’ oversight responsibilities and key considerations that boards should keep in mind when establishing governance structures to address cybersecurity concerns.

– John Jenkins