Board of Director’s Obligations to Understand Cyber Risk

By Seth Jaffe for the Cyber Governance Corner.

It is no secret that, as an industry, information security suffers from a worker shortage. The Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study concluded that the most common reason is a lack of qualified personnel. But the next most common reason is that senior leadership does not adequately understand the requirements of suitable cyber security personnel.

The goal of this series on cyber governance is to help clarify those requirements, and the obligations of the board of directors.  One such obligation is for the board to be able to sufficiently understand the risks associated with cyber security.  The most common method for meeting this obligation is to appoint a board member with cyber security expertise who can then interpret cyber risk assessments for the board. Indeed, proposed text for the Cybersecurity Disclosure Act of 2017, currently a bill in the U.S. Senate, calls for a public company to disclose in its annual report or proxy statement “whether a member of the governing body . . . has expertise in cybersecurity.” Notwithstanding the Act, the board of directors owes a duty of care to the company, which includes remaining informed about cyber risks as well as ensuring that management is implementing programs to mitigate these risks. See our prior post on the board’s risk oversight responsibilities.

In the alternate, the board can delegate responsibility to a committee having members with cyber expertise, which then counsels the board. Home Depot’s board of directors, for example, delegated cyber responsibility to a committee, and even though the board failed to properly include cyber risk review in the committee’s charter, a court found the committee to satisfy the board’s duty.[1] The Home Depot decision, and others like it, will be the focus of future posts in this, the Cyber Governance Corner.

[1] See In Re Home Depot Shareholder Derivative Litigation, 15-CV-2999, GA. 2016.

Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.


Leave a Comment