Issue link: https://digital.shearman.com/i/1035494
Shearman & Sterling LLP 18 | Cybersecurity – Board Oversight WHAT SHOULD BOARDS (AND THOSE THAT ADVISE THEM) DO NOW? It is clear that boards need to ensure they have the proper focus and support to properly oversee cybersecurity and data security risks. Even companies that do not have exposure to volumes of customer data are vulnerable to attack. Hackers can target a company to gain access to material unreported financial information to be used for insider trading purposes. Cyberattacks can be used for corporate espionage to steal critical business processes, intellectual property or trade secrets. And individuals may design cyberattacks to freeze a company's networks for a ransom or even just to show it can be done. The failure to maintain the proper oversight over cybersecurity matters can lead to significant exposure to the company and, if found that the board failed in its oversight function, its directors. In addition, the remediation costs and business interruption and management distraction, coupled with reputational harm, can be incredibly damaging. We have seen recent examples of business combinations Ensure that management promotes a cybersecurity risk-awareness culture throughout the company Recognize that cybersecurity is not a technology issue, but an enterprise risk management issue Ensure management develops a framework to address cybersecurity and data security for the whole organization Understand the type, scope and extent of the cybersecurity risks facing the company and how the company's operations, financial condition and reputation could be impacted by the range of possible breaches Do not overlook customer and employee data security and privacy- related risk exposure and the exposure posed by critical third-party vendors and service providers Raise cybersecurity and data privacy questions in connection with the development of new products and services, the entry into new jurisdictions and when considering acquisitions Ensure adequate disclosure controls and procedures are in place so that cybersecurity incidents are reported promptly and to those responsible for disclosure matters Review management's incident response plans and prepare a board response plan — do not wait for a cybersecurity incident Receive regular briefings from those responsible for cybersecurity and use these briefings to probe management on the experience and expertise and on the adequacy of the budget allocated for this effort Assess whether the board has the requisite expertise to oversee cybersecurity risk management being impacted by cybersecurity breaches, and earlier this year the SEC brought the first ever case against a company for failure to properly disclose and oversee a cybersecurity incident. Although every company has a different cybersecurity risk profile, which demands a level of focus and attention that is appropriate to its profile and the materiality of cybersecurity risks to its business, the following are things that all boards should consider now: