On January 25, 2022, Gary Gensler, chairman of the U.S. Securities and Exchange Commission (SEC), on his YouTube channel “Office Hours with Gary Gensler,” explained that the world’s first hack (of securities, no less!) was committed in 1834 by two brothers from Bordeaux, France: François and Joseph Blanc bribed telegraph operators to tip them off as to the direction the market was heading (beating out the Paris-based investors who had to wait for the news to arrive in the City of Lights by stagecoach).
The chairman, while highlighting the particular vulnerability of financial markets to cyberattacks, provided a road map to modern regulatory rulemaking relating to financial sector SEC registrants, funds, advisers, broker-dealers, public companies and service providers. Two days earlier, Gensler, in highlighting the most dramatic change to our markets arising from the use of predictive analytics and artificial intelligence, specifically called out investors’ demands for additional information from companies with respect to climate risk, human capital and cybersecurity.
The need for foundational privacy and security program building blocks (or cybersecurity) that incorporate legal and regulatory, industry, and geopolitical considerations, as well as environmental, social and governance (ESG) ones, is made more apparent by sampling legal, regulatory and market developments. Asking the right question at the right time is as important as the actual design of the governance framework — and putting in place a compliance program that is equally informed by, and aligned with, legal obligations, regulatory priorities, industry standards, and consumer-centric expectations and rights.
Is the Board Engaged?
A convergence of regulatory developments in 2021 put the spotlight on the legal risks associated with personal data, as boards and management navigated pressures to monetize personal data for the business without running afoul of global consumer privacy rights and the inevitable data breach. With the increased value of first-party data and potential impact (e.g., fines, reputational impact, burden) on advertising and spending return on investment, and greater European Union, Asia-Pacific, and U.S. regulatory emphasis on consumer harms from targeting, profiling and dark pattern interactions, companies are considering how best to calibrate risk and reward of security and privacy requirements.
State-specific privacy regulations (including in California, Colorado and Virginia, all of which include cybersecurity provisions), international regulations with global reach (such as the General Data Protection Regulation), and ESG guidelines, frameworks and standards cumulatively create a boiling pot ripe for shareholder activism, consumer complaints, regulatory investigations and judicial decisions.
Boards of directors and management face an evolving, dynamic and complex risk portfolio landscape occasioned by exploding data, multiplying vendor ecosystems, cross-jurisdictional data flows, patchwork privacy regulations, maturing ESG expectations, and malevolent private and state cybersecurity actors. But at a major directors’ conference, participants noted that “as technology is so pervasive, information so distributed and cybercrime so fluid, reports from the CISO to the board are, at best, table stakes in cyber assurance.” As noted in a Tapestry Networks publication in February 2020, “Directors say they need to create further checks and build trust not only with their CISOs but also across executive ranks, and in some cases at deeper levels of management than is customary.”
In a timely and unusually bipartisan approach, on February 9, 2022, two U.S. senators advised the SEC to require publicly traded companies to disclose whether they have cybersecurity expertise on their boards of directors. Reinforcing this view, the Federal Trade Commission noted that “Contrary to popular belief, data security begins with the Board of Directors, not the IT Department.”
The contours of a director’s obligations of loyalty, due care and good faith are well established in U.S. jurisprudence (by way of the Caremark decision). In general, in order for directors to be found personally liable, the risk issue must be mission-critical, and there is a very high threshold necessary for a plaintiff to prevail. While neither the nature of those decisions nor the specific nuances of what a cybersecurity bad faith claim might entail is the subject of this article, the nature of the risk and how it is addressed is illustrative in the context of Caremark. Regardless of the legal instrument or underlying claim across civil litigation or regulatory oversight, the gist is that cybersecurity “is an area of consequential risk that spans modern business sectors … and the board must make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks.” (Firemen’s Ret. Sys. of St. Louis on behalf of Marriott International, Inc. v. Sorenson)
Board Engagement With Management
From a practical perspective, then, we can draw from judicial opinions, regulatory guidance and industry associations a set of topics to obtain decision-useful information necessary to guide the enterprise. These topics will not only be relevant to the board but will also align legal, compliance, audit, privacy and security, marketing, and sales around a common framework for risk identification and mitigation.
- Legal considerations:
- Are there regular updates from inside counsel or outside experts?
- Are there protocols in place requiring management to keep the board apprised of (cyber) compliance practices, incidents, red flags and risks in a timely manner?
- Is there a reasonable system to ensure updates and information flow on important issues and risks?
- Is there an existing or new committee tasked with specific oversight of cybersecurity?
- Are discussions and decisions relating to cybersecurity memorialized in board minutes?
- Regulatory considerations:
- What kind of data are we keeping, and why? And where are we keeping it?
- Are our policies and procedures adequate to protect our data?
- Are our actual security practices in line with our policies and our public-facing statements?
- Are our security investments and expenditures in line with our security risks and threats?
- Industry considerations:
- Do we have a systematic framework, such as the National Institute of Standards and Technology Cybersecurity Framework, to address cybersecurity?
- What are the company’s cybersecurity risks, and how is the company managing these risks?
- Where do management and our IT team disagree on cybersecurity?
- How do key functions work together to establish a culture of cyber risk awareness and personal responsibility for cybersecurity?
There are numerous industry-standard and risk-specific frameworks for evaluating and measuring data-specific risks in a quantifiable and qualifiable manner. From management’s perspective, those frameworks, aligned with specific statutes and regulations, are critical in monitoring risk. From the board’s vantage point, it may be useful to employ a multidisciplinary lens that incorporates tactical risk mitigation and managerial feedback into a governing framework across the risk areas most likely to cause reputational harm, share price impact and long-term viability.
In a changing environment, risk is ever present, and change the new norm. While members of the board are unlikely to have all the right answers, they need to be asking the right questions with a firm understanding of the risk appetite and evolving risk profile of the organization. A formalized compliance framework will help drive efficiency and effectiveness, and ultimately create the platform for long-term investor value. Like the Blanc brothers and their nefarious hack of 1834, not every risk will be anticipated, yet boards can help build a more nimble and communicative relationship with management and thus become more effective advocates and stewards of corporate growth and risk management.