Over the past three years, I’ve been outspoken about the need for better board oversight of cyber security, as well as the need for better cyber security disclosure. The severity of the cyber threat is so significant to companies, as well as to the nation’s economy and security, that boards have no choice but to pay attention. Indeed, I can easily envision a world where, as a practical matter, directors face a heightened risk of personal liability for cyber-security problems. And over the past several years, there has developed an army of talented IT, legal, and insurance professionals ready to help boards manage this threat, and there are some very proactive, outspoken, and conscientious directors who are trying to lead the way.
Yet surveys still say that, on the whole, directors aren’t sufficiently engaged, and companies aren’t providing directors with sufficient information and support.
How in the world could that be so?
Below, I examine two of the underlying problems, and provide solutions: (1) a suite of problems that I call “cyber freak-out,” and (2) an odd lack of concern about director liability.
The average corporate director was 47 years old when Amazon became a public company. Although that was also almost 20 years ago, and most people who serve on boards have grown comfortable with computers and the basics of technology, there is nevertheless a fundamental sense of discomfort with discussion around the IT aspects of cyber security.
This discomfort yields a suite of problems that I diagnose collectively as “cyber freak-out.” Cyber freak-out includes one or more of the following stated or unstated excuses for not tackling cyber security issues:
- Excuse: The audit committee handles risks, so that’s the right group to handle cyber security.
- Reality: Cyber security is an enterprise risk that the full board needs to understand and decide how to manage – even if it is ultimately given to a committee. And the audit committee has too much work already.
- Excuse: Being hacked is inevitable, so we can’t do much about it.
- Reality: The reality is cyber security oversight isn’t just about preventing attacks – it’s also about deciding what assets to protect and how to respond to a breach, among other issues.
- Excuse: Cyber security is an IT issue, and the IT folks have told us for years that we’re safe.
- Reality: The world of cyber security poses higher risks now, and it’s incumbent upon the board to ask hard questions of the IT department. There are outside consultants galore who can give the board an independent evaluation. And cyber security is not just an IT issue. Most cyber attacks can be prevented through employee education – which presents issues of employee training and corporate culture, which even a Luddite director can help shape.
- And there are several more things few people say out loud, but I fear that too many think:
- Excuse: We should have been on top of this earlier, so engaging in a full-scale program of cyber security readiness will make us look bad.
- Excuse: I don’t want to ask a dumb question, and don’t think I can ask a smart one.
- Excuse: If I wait long enough, one of my fellow directors will get up to speed and lead us through what we need to do.
Reality: The absurdity of these excuses speaks for itself.
Another common mistake is to assume that cyber attacks are limited to companies with personal information, like credit card numbers or health information. That is wrong: Any company with valuable assets – including trade secrets – is and will be a target. The reason that companies with personal information grab the headlines is that their breaches have become public because of breach-notification laws. Companies that aren’t subject to breach-notification laws rarely disclose cyber breaches. One of the country’s leading cyber-security lawyers to public companies said at the SEC’s Cybersecurity Roundtable in March 2014 – in the presence of SEC Chair White and Commissioners Aguilar (who gave an important speech in June 2014 on board oversight of cyber security), Gallagher, Piwowar, and Stein:
I would say that I really can’t think of a case – and we’ve worked a lot – where the disclosure thinking or analysis was driven by the securities law issues, frankly.
Basically there are other state laws, other situations that are going to create a disclosure obligation, and that’s what drives it. And I think just to be someone speaking from the trenches in terms of the reality of what really happens, there is a tremendous disincentive to disclose a breach.
I believe that the well-known cyber breaches are the very tip of the iceberg, and the much larger cyber security problem is, and will be, beneath the surface until companies start disclosing cyber security issues because of their yet-unenforced federal securities law obligations. A company whose IP has been stolen, or whose business has been interrupted, faces various disclosure issues. The issue isn’t just whether a breach is material. It’s much broader: a cyber security breach could make any number of statements misleading, including financial statements, earnings guidance, statements about internal controls, and statements about the status and prospects of the business operations. Yet most directors seem to believe that cyber security is just a problem for banks, retailers, and health-care providers and insurers. That’s just not so.
The problem with cyber freak-out is that it undercuts directors’ main defenses to shareholder claims of breach of fiduciary duty. There are two main claims for breach of fiduciary duty in this area:
The first type of claim is for a failure to act, or a failure to engage in appropriate oversight, under a standard articulated in a leading case called Caremark. The court in Caremark called the claim it branded “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” To be liable for a failure of oversight – a type of breach of the duty of loyalty – a director must fail to establish any system for detecting problems, or if a system exists, must deliberately fail to monitor it or follow up on red flags. Thus, the only way a director can be liable for a failure of oversight is to not even try – or in the cyber security context, to be paralyzed by cyber freak-out.
In contrast to a claim for inaction, the second type of claim is based on director action. Such claims are governed by the business judgment rule, which protects from second-guessing a decision made by informed and disinterested directors. A shareholder can overcome the presumption, however, if the challenged decision was not informed. Cyber freak-out can result in challenged cyber-security decisions being insufficiently informed, and thus outside the protection of the business judgment rule.
Thus, directors will not be liable if they in fact oversee cyber security, and make decisions about cyber security based on adequate information. Boards need to just pay attention and start somewhere – there’s no secret sauce, and perfection isn’t required. There’s no cyber-security intelligence test. An inquisitive director can do a good job overseeing cyber security without even being a computer user.
On the one hand, diligent directors don’t face real risk of liability for cyber security oversight. On the other hand, I believe the fear of director and officer liability needs to increase before directors and officers and their companies sufficiently tune up their cyber security oversight and disclosures.
Although I don’t wish a lawsuit on anyone, much less actual liability, I think some jarring liability event is necessary: Just as Bill Lerach, Mel Weiss, and other prominent securities class action plaintiffs’ lawyers have greatly improved the quality of corporate disclosure, and corporate-law decisions like Smith v. Van Gorkom have improved board decision-making processes, so too would a cyber-security liability jolt improve cyber-security oversight and disclosure. But at the moment, directors and officers observe that stocks generally haven’t dropped enough to trigger securities class actions, and the handful of shareholder derivative cases haven’t been virulent. And the shareholder derivative litigation dismissal in Wyndham, while great for Wyndham’s directors, probably set cyber security oversight back. The Wyndham decision, resting on the board’s post-breach process in deciding to reject a shareholder demand on the board, was virtually meaningless in its impact on the law governing board oversight of cyber security.
But securities and corporate governance litigation involving cyber security problems is indeed coming. And it may be ugly. The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims. We not only could see a sharp uptick in the number of claims, but they could be quite difficult for directors and officers to defend, until cyber security oversight and disclosure improve. I worry about this dynamic a lot.
I also worry about SEC enforcement concerning cyber security. The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk. But directors and officers shouldn’t think the SEC is going to announce new guidance or make new rules before it begins enforcement activity around cyber security disclosures. All it takes to trigger an investigation of a particular company is some information that the company’s disclosures are rendered false or misleading by inadequate cyber security. And all it takes to trigger broader enforcement activity by the staff is a perception that companies aren’t taking cyber security disclosure seriously. That may or may not be preceded by further cyber security disclosure guidance. And companies need to be concerned about whistleblowers, including over-worked and under-paid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.
Greater cyber security oversight, and better corporate disclosure, are inevitable. I hope that they happen naturally, as the result of good counseling by the advisors who are ready and able to help, rather than only developing after we are hit by the inevitable wave of shareholder litigation and SEC investigations and enforcement actions.