The need for boards of directors to focus on cybersecurity is no longer debatable. Federal regulators already expect that certain entities—like financial institutions, critical infrastructure, and publicly traded corporations—have directors that receive and engage with regular reports on cybersecurity risks and are knowledgeable about the level of a corporation’s cybersecurity defenses. Some regulators (and laws) go further, and require boards of directors to approve the company’s information security plan, receive briefings on major cybersecurity events, and advise on major cybersecurity initiatives. Further, new legal requirements like those just passed by New York’s Department of Financial Services require boards of directors (or senior managers) to approve the company’s cybersecurity compliance, covering all manner of technical, administrative, and physical controls. And legislative proposals are being floated that would require boards of directors for publicly traded companies to have at least one director that is an expert on cybersecurity issues.
But most directors are not engineers, and few have IT backgrounds. For these directors, what do these requirements truly mean? Certainly increased focus on the governance of cybersecurity is in order, and, in the aftermath of a major cybersecurity incident, regulators and litigants may focus on the responsibility of the board in ensuring that adequate cybersecurity protections were in place. Directors should therefore take reasonable steps to ensure they are sufficiently engaged and knowledgeable about whether their company’s cybersecurity protections are up to the standards in their industry. To help guide directors, we have identified five key principles to focus board engagement on cybersecurity issues.