Courts have historically made it difficult to hold directors and officers personally liable for breaches of fiduciary duties. But as cyberrisk management liability standards evolve, directors and officers increasingly face the risk of personal exposure.
In September 2015, following Home Depot’s high-profile data breach that exposed more than 50 million credit and debit card numbers, shareholders sued 12 company directors and officers alleging they breached “their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties failing to ensure that Home Depot took reasonable measures to protect its customers’ personal and financial information.” On April 28, 2017, the parties filed a proposed settlement to resolve the matter, which, if approved, would require Home Depot to change its governance structure, reorganize risk management entities, and pay the shareholders’ attorneys more than $1 million, among other costly and time-consuming changes.
Most recently, the WannaCry ransomware incident reminded us of increasingly common and harrowing threats, particularly for those at the helm of an organization who might not be aware of its vulnerability to these attacks. Recovering documents can be costly, and even if the ransom payment is small, most ransomware incidents result in hours, or even days, of downtime. Even worse, the criminals remain in possession of companies’ proprietary data and could sell or release it publicly even after the targeted company believes it has resolved the situation.
Boards face mounting pressure to consider what a worst-case cyber event would look like and how that event would be handled. What corporate governance structures would kick in? Should law enforcement be involved? What will be the legal fallout—whether it is consumer privacy litigation, shareholder suits or criminal investigations? To fully grasp the magnitude of such risk, risk managers and boards must address specific questions and implement effective policies that protect their customers, their organizations and themselves. Proper planning and response are especially critical as failures are increasingly likely to lead to significant consequences.
1. What Are the Fiduciary Duties of Directors and Officers Regarding Cybersecurity?
As most officers and directors understand, it is presumed that they are acting on an informed basis, in good faith, and in the company’s best interests. With respect to cybersecurity issues, courts and corporate regulators are using stringent standards to analyze how boards are identifying, assessing and addressing cyberrisks. Proper board preparedness and risk management are critical to insulating officers and directors from liability.
Reviewing court decisions and regulations, clear standards and best practices for corporations become apparent. Boards must hold frequent meetings—at least quarterly—to analyze cyberrisks and potential plans of actions. They should create or appoint a committee to review cyber issues and/or investigate data incidents and breaches. Boards should also seek third-party guidance with respect to assessing and implementing security enhancements, and must understand what cyberrisks can affect the enterprise and have a clear plan to address these risks. Boards must work with risk management to implement a monitoring, compliance and risk management program, oversee and test the program, and investigate possible violations.
That said, liability is determined not only by how potential problems are anticipated and addressed, but how governing entities respond when actual issues arise. Once data breaches and cyberattacks are discovered, boards and management have a duty to investigate. While such investigations can be internal, they are best handled by independent, outside legal counsel for two reasons: 1) to cement attorney-client privilege, protecting critical and confidential information and analysis from discovery; and 2) to establish good-faith efforts to discharge their fiduciary duties.
2. How Can Officers and Directors Properly Discharge Their Cybersecurity Fiduciary Duties?
Strong, established risk management programs must have the right technology in place to identify where risks can have the most impact on the business and brand. Ideally, entities should have policies in place that detail the expected response to incidents and ensure that “need to access” system controls are in place.
It is also key to have a prepared team, equipped with the tools and ability to take immediate action when problems arise and the authority to monitor and test existing protocols and protections. These internal teams should continually educate the entire organization and aim to eliminate weak points in prevention, response and follow-up related to cyber events. It is also important to seek out broad and varying perspectives and experiences from within the organization as well as through consultants. Variety of experience and perspective helps identify gaps and accelerates the evolution of a cybersecurity program.
As cyber incidents impact multiple levels of an organization, departments including legal, IT, risk/insurance, human resources, marketing and public relations should be tasked with providing input in addition to that of board members and management. The companies best prepared to prevent and respond to cyberattacks recognize that this multifaceted preparedness is an ongoing cycle, and not simply a one-time list of tasks to complete.
While specific policies are important, they represent only half the battle. To demonstrate that a board has properly discharged its duties, it must work with management to ensure the assembly of proper teams and prepare plans to prevent and respond to any breaches. Risk managers, officers, and board members should recognize the cornerstones of truly effective cyberrisk governance:
- Defined roles for directors and management. Defining clear roles for management, board committees and individual directors ensures protocols are developed and deployed cost-effectively.
- Constant assessment of cybersecurity trends and threats. The business judgment rule is a legal principle protecting officers, directors, managers and other agents of a corporation from liability for loss incurred as a result of business decisions that are within their authority and power to make when sufficient evidence demonstrates that the transactions were made in good faith. To ensure protection under the business judgment rule, it is wise to have regular presentations for pertinent committees to provide updates on trends and threats. Incorporating outside counsel in this process can allow attorney-client privileges to take hold and protect critical deliberations from disclosure.
- Cybersecurity vigilance permeates the organization. Employees, vendors and partners must receive continuous education to create a culture of cybersecurity.
- Continually evolving cyber preparedness plans and controls. Organizations must incorporate systematic threat and weakness assessments into their cyberrisk management plans and modify established programs and protocols as required.
- Detailed incident response plans and protocols. An effective program assesses the type and scope of the incident and what critical information has been accessed or misused to prevent further unauthorized access to or misuse. It also establishes business continuity protocols and public relations and/or crisis communication plans involving counsel, consultants and company insiders. Finally, it needs to provide a plan to determine whether law enforcement should be notified.
- Comprehensive insurance coverage. While an industry standard is slowly emerging, gaps between first- and third-party coverage under existing policies may result in uncovered losses. Pay attention to whether coverage applies to attacks over time (which occurs in many situations) as opposed to specific events. To that end, firms should also conduct a comprehensive review of their policies to determine what cyberrisks are covered and what cyber liability insurance policies need to be purchased.
Given the evolution of director and officer policies with respect to cybersecurity, risk managers and boards must understand insurance policy variations and their implications, such as requiring cybersecurity specialists to assess potential policy gaps and blind spots. To that end, the insurance purchasing process can be useful. Determining appropriate coverage often requires completing questionnaires about a firm’s data security practices and procedures. This process can provide a snapshot of a company’s data security risks and practices. More importantly, as carriers often require that the board and management ensure that policies and procedures continue to be in place as a condition of the coverage, boards overseeing this process should work with consultants to ensure that claims cannot be denied due to incomplete or inaccurate applications.
3. What Is the Risk Exposure for Directors and Officers from Cyber Events?
As the number of data breaches grows, potential liability for directors and officers grows as well. While cases were trending toward finding alleged damages too remote to establish liability, courts are reversing course, allowing cases to move forward and increasing the risk of unfavorable judgments. An increase in regulation almost certainly comes with increased regulatory scrutiny and litigation. It is more likely than ever that data breaches will trigger subsequent state and/or federal regulatory actions, shareholder derivative actions, and other claims against directors and officers for injuries to the organization and its value. As data breaches increase, and individuals who have not yet suffered actual out-of-pocket losses from a breach can sustain claims, the pool of potential plaintiffs grows.
The proposed Home Depot settlement demonstrates possible fallout for a company. Home Depot must create corporate cyber governance policies, clarify the role of its chief information security officer, monitor and test its networks, maintain a data security and privacy governance committee, and authorize the board to retain separate IT and data security professionals, among other things. These requirements—and consequences—paint a clear path for corporate boards in terms of the steps they must take now in order to avoid a long, painful process to address cyber issues later.
However, legal liability, which often can be addressed by insurance, may pale in comparison to the effects on business, which often provide the basis for derivative litigation. As WannaCry showed, cyber events can halt operations, expose critical intellectual property, and adversely affect the reputation of a company and its board.
Further, equity funds and companies considering acquisition and investment now take cyber preparedness into consideration, and a lack of planning can impact a company’s value and potential sale price.
4. How Should Companies Reduce Their D&O Risk?
Only board- and officer-level cyberrisk planning can reduce the risk of impaired business continuity, decreased business valuation and reputation damage. Thus, to protect against personal exposure, there must be a shift in traditional fiduciary risk analysis from questions of liability and defense to questions of offensive and proactive cyber stewardship.
Governing entities should deliberately and consistently educate directors about industry best practices and how the company’s cybersecurity policies and controls address critical cyber assets and threats, third-party vendor management, cyber-incident response protocol and insurance coverage. Companies need to consider appointing directors and officers with cybersecurity expertise and creating departments or board committees with primary responsibility for data privacy and cybersecurity issues. Lastly, companies should conduct regular officer and director meetings to ensure that the company’s expectations and processes are followed diligently.
Considering the wide range of cybersecurity risks, only a comprehensive, multidisciplinary approach that integrates legal and risk specialties and service teams can provide owners, officers and directors with the proper cyberrisk reduction tools, enhancing officer and director protection.
With that in mind, organizations must make sure that the proper entities are advising governance and working with attorneys to engage other consultants and experts. When an attorney, especially outside counsel, is involved in the risk management process, it is much more likely that the deliberative process can be protected by attorney-privilege. This often makes it less likely for those seeking to impose liability to get access to how decisions were made while buttressing business judgment rule protections.
As directors and officers must have a high-level understanding of organizational cyberrisks, they must work with risk managers to take a deliberate approach in identifying, assessing and addressing potential cyber issues, as well as ensuring that plans include consistent staff training and ongoing monitoring. By working together, engaged risk managers, officers and boards can create and implement effective cyberrisk management plans to protect their organizations.