Cyber Directors: Greater Expertise, Greater Liabilities?
The World Economic Forum places cyber security ahead of terrorism as one of the top 10 economic threats to 140 countries. Cyber security risk in the corporate arena is the responsibility of the board.
As noted by the commissioner of the SEC, “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.”
Boards have taken up the charge. Cyber security has moved from 11th place to third place on board agendas according to the Lloyd’s of London “Biennial Risk Index” of 2011 and 2013. The increased spending on cyber security protection by companies further supports this trend.
Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?
According to Gartner Inc., companies spent $86 billion on protection efforts in 2015, which reflects an 18 percent increase from the prior year, and are expected to spend $94 billion in 2016.
The issue becomes, how can a board address cyber risk complexities and meet its duty of care?
Congress proposes mandating cyber experience on boards. The Cybersecurity Disclosure Act of 2015 requires that public companies disclose whether the company has a director with cyber security experience or expertise, or disclose what cyber security steps it has taken that mitigate against acquiring board expertise.
At the same time, boards today are addressing cyber risk in one of several different ways.
Some address cyber security as a plenary board, receiving reports, engaging in discussions and making critical decisions as a whole. This can prove challenging due to the paucity of time at a board meeting and lack of board level cyber expertise.
Alternatively, boards may delegate cyber risk management to established audit committees. A committee forum provides greater time for analysis and expert consultation. However, audit committees are more likely to have financial rather than cyber expertise, and are more attuned to financial rather than technology and innovation issues.
Other boards create a cyber security committee or seek to add a cyber expert to the board itself. Either way, the board is seeking greater cyber expertise and experience at the board level.
The issue becomes whether the cyber expert director has a higher risk of liability than fellow directors. Will the cyber expert-director be held to a higher standard of care regarding cyber risk management?
All corporate directors owe a fiduciary duty of care to the company and its shareholders. In executing their duty of care, the director must act in a manner that a reasonably prudent person would act under the circumstances. A reasonable person means one with the expertise of the director in question. If a director has a particular expertise, skill or experience, they are expected to apply it.
Accordingly, the cyber expert-director could be held to a higher standard of care and diligence in reviewing cyber-related matters than a director without cyber expertise.
While no director can turn a blind eye to negligence, and while all directors must act with diligence and care in addressing cyber matters, the cyber expert-director will tenably be expected to act in a manner that a reasonably prudent cyber expert would act under the circumstances, conducting a diligent technical review and evaluation of cyber matters that a director without cyber expertise could not undertake.