Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
By Yin Wilczek
May 21 — A board's responsibility for cyber risks boils down to the three “R”s—risk, resources, and readiness and response, Ivan Fong, senior vice president and general counsel of 3M, said May 21.
Fong—a former general counsel of the Department of Homeland Security—noted that because cybersecurity is now an enterprise-wide risk, boards may have to straddle that line between oversight and management.
The “risk” portion of the three Rs may be divided into external and internal risks, Fong said, explaining that the external risks are legal, regulatory and reputational.
He spoke on a panel at a cybersecurity conference hosted by Georgetown University Law Center and co-sponsored by Bloomberg BNA.
On the legal front, boards and companies face liability through shareholder lawsuits and actions by state attorneys general, Fong said. In addition, they face regulatory risks from federal agencies such as the Securities and Exchange Commission and the Federal Trade Commission.
The biggest risk, however, is reputational, Fong said. “Depending on what industry you're in,” reputational risk arising from cyber incidents “is the single largest source of risk and for that alone,” a board member must pay attention to how the company handles its cyber issues, he said.
Resources, too, can be divided into three parts—people, process and technology, Fong said. Although the board is not in the business of hiring or ensuring there are enough resources to adequately protect the company, it does have a responsibility for ensuring that there is a chief information officer who has the right experience, team and funding to do the job, Fong said.
Moreover, the board must ensure that there are processes and the right technology within the company for assessing and dealing with cyber risks.
Finally, in terms of readiness and response, boards must be aware that although not every cyber incident is preventable, the real test is how the company responds to a breach, Fong said.
In that scenario, “it’s very important to have not only a well thought-out but also an exercised incident response plan,” he said. The board also must have a “fairly clear sense” of what role it wants to play—does it merely want to be informed or will it play a more substantive role?
In other discussions, co-panelist Justin Castillo, head of legal for BT Americas Inc., suggested that cyber risks may require a more nuanced approach.
“The fortress mentality of security is implicit in many of the conversations we've had,” Castillo said. However, “as we move forward to a more fully-digitized world,” companies may have to take a “more organic” approach beyond building “higher and stronger walls.”
Castillo also warned that it's not just about preventing breaches—it's also about “keeping the lights on” and having “a Plan B.”
Meanwhile, panel moderator Peter Gleason, president of the National Association of Corporate Directors, said boards “get it” about cybersecurity. Board members “are thinking about it all the time,” he said. “They're catching up.”
To ensure that boards and management are on the same page, Gleason urged senior executives and employees to bring cyber issues to the board's attention. He cited a recent poll showing that 35 percent of board members were not satisfied with the quality of information they were provided on cyber issues, while 52 percent said they were not satisfied with the quantity of that information.
The NACD in June 2014 issued guidance for directors on cyber risk oversight.
Fong suggested that connectivity—while a risk—also can bring opportunity. Balancing the risk with the opportunity is the “key judgment” that boards must make, he said.
To contact the reporter on this story: Yin Wilczek in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Ryan Tuck at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)