Issue link: https://digital.shearman.com/i/1162884
Shearman & Sterling LLP Cybersecurity – Preparing for the Changing Landscape | 33 WHAT SHOULD BOARDS DO NOW? Understand Your Company's Risks, Policies and Legal Requirements Centralize and Organize Directors have all heard that cybersecurity matters must be treated as an enterprise risk management issue, but what does that mean? Simply stated, it means that no single part of the business should have sole responsibility for managing and addressing risks. Instead, management should ensure that cybersecurity and data protection risks are both viewed and addressed as a shared responsibility among appropriate groups within a company and not relegated to an information security function. The "appropriate groups" may differ from company to company, but it should always include, at a minimum, those responsible for technology and information security, disclosure, legal and regulatory compliance and financial reporting, including SEC reporting. The board, in turn, is responsible for ensuring Third Parties are Important, Too Oversight of cybersecurity risk on an enterprise-wide level includes understanding threats to a company's critical operations that are not directly under the company's control. Many companies have outsourced or contracted critical technology and non-technology functions to third parties. Understanding the possible cybersecurity threats to which these third parties are exposed and the vulnerability of the data that may Directors should understand the types of cybersecurity risks that their company faces. They should be briefed on relevant threats and vulnerabilities and engage in discussions about how the company prioritizes these threats and vulnerabilities. Some companies will determine that a level of acceptable risk is part of running their business in the ordinary course. In these cases, the board should understand how this assessment was performed, what factors were considered by management and the best practices for similarly situated companies. For companies that that management has a plan to address these issues on a company-wide basis, is devoting the proper resources to the plan and has hired the people with the experience and expertise to execute the plan effectively. There is no single solution that works for all companies. For some, it may require a dedicated committee and/or one or more directors with specific and identifiable experience. Others may need regular briefings and third-party experts to provide ad hoc advice and testing. At the end of the day, whether or not there is an SEC disclosure requirement concerning director cybersecurity expertise, boards must be able to assess how well management is handling the risks, and to describe the board's role in the oversight of cybersecurity and data protection matters. be provided to third parties is an important part of the board's oversight — these should also be considered threats to and vulnerabilities of the company. The board should ensure that management has assessed the cybersecurity preparedness and responsiveness of critical partners and vendors, and formulated plans to ensure that replacement products or services are readily available in the event of an incident. collect and manage consumer information, the board should understand and regularly review the policies and practices related to disclosures made to consumers when information is collected, such as how the company stores and uses consumer information and whether the company's practices comply with current regulatory requirements and industry practices. Irreparable reputational damage can result if a company fails to protect, or is perceived as failing to protect, consumer information with the rigor expected by the individual subjects of that information.