From: Association of Corporate Counsel
Paul A. Ferrillo and David J. Schwartz/Weil Gotshal & Manges LLP
In our June 4, 2014 article on cyber security and cyber governance1 we noted that for many reasons, boards of directors and executives of U.S. companies needed to reexamine how they protect (and respond to the successful hacking of) their most critical intellectual property and customer information. One of the reasons was that all signs out of Washington,D.C. pointed towards increasing federal regulation and oversight of cyber security for public and private companies, and particularly for those in the financial services sector. Further, we foresaw not only heightened scrutiny from regulators, but increasing class action litigation, with plaintiffs accusing boards and management of not taking the appropriate steps to protect company and client data. Our predictions were correct on all fronts.
Just six days after our article, Luis Aguilar, a Commissioner of the United States Securities and Exchange Commission (SEC), stated very clearly in a speech entitled “Cyber Risks in the Boardroom,”2 that,
[B]oards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk and there can be little doubt that cyber-risk also must be considered as part of board’s overall risk oversight. The recent announcement that a prominent proxy advisory firm [Institutional Shareholders Services (ISS)] is urging the ouster of most of the Target Corporation directors because of the perceived “failure…to ensure appropriate management of [the] risks” as to Target’s December 2013 cyber-attack is another driver that should put directors on notice to proactively address the risks associated with cyber-attacks.
Id. (alteration in original) (emphasis added) (footnotes omitted).
Without equivocation, Commissioner Aguilar stated that cyber security was a board responsibility. Likewise, ISS has signaled that directors could or should be held personally accountable for cyber security breaches if they fail to keep their eye on the ball.3 So too has the plaintiffs’ bar recognized that cyber security breaches may become a lucrative addition to their class action litigation practices.4
Leave a Reply