Boards Should View Role on Cyber Risks In Terms of 3 ‘R's, Executive Says

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Yin Wilczek

May 21 — A board's responsibility for cyber risks boils down to the three “R”s—risk, resources, and readiness and response, Ivan Fong, senior vice president and general counsel of 3M, said May 21.

Fong—a former general counsel of the Department of Homeland Security—noted that because cybersecurity is now an enterprise-wide risk, boards may have to straddle that line between oversight and management.

The “risk” portion of the three Rs may be divided into external and internal risks, Fong said, explaining that the external risks are legal, regulatory and reputational.

He spoke on a panel at a cybersecurity conference hosted by Georgetown University Law Center and co-sponsored by Bloomberg BNA.

Legal Risks 

On the legal front, boards and companies face liability through shareholder lawsuits and actions by state attorneys general, Fong said. In addition, they face regulatory risks from federal agencies such as the Securities and Exchange Commission and the Federal Trade Commission.

The biggest risk, however, is reputational, Fong said. “Depending on what industry you're in,” reputational risk arising from cyber incidents “is the single largest source of risk and for that alone,” a board member must pay attention to how the company handles its cyber issues, he said.

Resources, too, can be divided into three parts—people, process and technology, Fong said. Although the board is not in the business of hiring or ensuring there are enough resources to adequately protect the company, it does have a responsibility for ensuring that there is a chief information officer who has the right experience, team and funding to do the job, Fong said.

Moreover, the board must ensure that there are processes and the right technology within the company for assessing and dealing with cyber risks.

Finally, in terms of readiness and response, boards must be aware that although not every cyber incident is preventable, the real test is how the company responds to a breach, Fong said.

In that scenario, “it’s very important to have not only a well thought-out but also an exercised incident response plan,” he said. The board also must have a “fairly clear sense” of what role it wants to play—does it merely want to be informed or will it play a more substantive role?

Nuanced Issues 

In other discussions, co-panelist Justin Castillo, head of legal for BT Americas Inc., suggested that cyber risks may require a more nuanced approach.

“The fortress mentality of security is implicit in many of the conversations we've had,” Castillo said. However, “as we move forward to a more fully-digitized world,” companies may have to take a “more organic” approach beyond building “higher and stronger walls.”

Castillo also warned that it's not just about preventing breaches—it's also about “keeping the lights on” and having “a Plan B.”

Meanwhile, panel moderator Peter Gleason, president of the National Association of Corporate Directors, said boards “get it” about cybersecurity. Board members “are thinking about it all the time,” he said. “They're catching up.”

To ensure that boards and management are on the same page, Gleason urged senior executives and employees to bring cyber issues to the board's attention. He cited a recent poll showing that 35 percent of board members were not satisfied with the quality of information they were provided on cyber issues, while 52 percent said they were not satisfied with the quantity of that information.

The NACD in June 2014 issued guidance for directors on cyber risk oversight.

Fong suggested that connectivity—while a risk—also can bring opportunity. Balancing the risk with the opportunity is the “key judgment” that boards must make, he said.

To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Ryan Tuck at


Request Corporate on Bloomberg Law