A June newsletter from Weil, Gotshal & Manges LLP focusses on the responsibilities of directors to oversee their company’s cyber risk program, provides suggested questions directors can ask about cyber security, and reviews insurance options in the area.
Although the newsletter is written about operating companies, cyber security is part of any director’s “good faith” duty of oversight. Director scrutiny is increasing - in the aftermath of Target Corporation’s most recent cyber-attack, ISS has recommended voting against all members of Target Corporation’s audit and corporate responsibility committees, citing the fact that “these committees should have been aware of and more closely monitoring the possibility of theft of sensitive information.” The plaintiffs’ bar has filed two class action suits against the Target board. And the SEC is examining investment advisers for cybersecurity issues.
The newsletter outlines several questions that can help guide directors as they oversee their company’s security and risk-management procedures.
Questions for the board include:
• How should the board allocate the responsibility of cyber security? Should the responsibility of maintaining sound cyber security procedures fall onto the entirety of the board or can it be appointed to the Audit Committee or a Risk Committee? Should the board create a Cyber Committee or seek additional board members who have specific cyber security experience?
• What is the frequency of board briefings on cyber security? Are quarterly or monthly briefings necessary?
• Should the board hire “cyber advisers” to consult on these issues?
• In case of a breach of cyber security, does the Company have a specified cyber incident plan? Have employees been instructed in how to react?
• What would be the potential loss in a worst-case scenario cyber incident? Here, the newsletter discusses cyber insurance, outlining the coverage that cyber insurance policies now offer.
The full newsletter from Weil, Gotshal & Manges LLP can be found here.