Extracted from Law360
New regulations, including the U.S. Securities and Exchange Commission's cybersecurity disclosure rules,[1] as well as recent regulatory enforcement actions bringing board governance under scrutiny, continue to push boards in the direction of active engagement in relation to their cyber-oversight role.
But just what does this mean in the context of a board's involvement with a company responding to a significant cybersecurity incident?
On the one hand, boards that are engaged on a particular matter may take a more limited role in the response, including being provided with material details of the event and asking questions to gain comfort in management's decisions and approach.
At the other end of the spectrum, boards can take a much more engaged role, not only participating regularly in calls as the incident unfolds and asking probing questions, but also engaging on key decisions related to the response in a way that leans toward engagement in the day-to-day management of the incident.
This may include, for example, encouraging the company to engage specific third-party experts; directing the company on its decisions to take or not take systems offline given business impact; strongly encouraging the company to interact with customers and employees in a certain way; and ultimately, expressing outright approval regarding the decision of whether to engage with and pay criminal extortionists.
With the growing pressure to become active and engaged on cyber risk, what involvement satisfies the board's oversight role and strikes the right balance for it and the company?
Board Oversight Role in Cyberbreach Responses
As a general matter, at the time of an incident, the board's role is one of oversight, that is, to oversee the company's material risks arising out of the incident, the company's response to the incident and the likely effect on the company.
Boards exercise this role in significant part by becoming informed on the nature and scope of the incident, the company's action or response plan, the status of the investigation, and the company's containment strategies and remediation plan.
It is also expected that the board should receive timely updates on changes in material facts as the investigation into the nature and scope of the incident unfolds. If a third party is engaged by the company in the response — for example, a forensic investigator or law firm — the third party may report directly to the board on the key facts or risks associated with the incident.
In short, the board's oversight role in the wake of a significant cyberincident is to become informed and remain actively engaged in understanding the event as facts unfold, in particular, by asking probing questions in order to assess the company's response.
Certainly, not every incident a company experiences will or should be escalated to the board. However, with a growing number of incidents resulting in significant legal, operational and financial consequences for organizations, boards and/or relevant board-level committees are expected to have a general awareness of the company's incident response plans and protocols, including what types of incidents will be escalated to it and when, and by whom.
Though there should certainly be some level of discretion in the escalation left to management, there should generally be no surprises when a significant incident occurs nor second-guessing management's decision to escalate and the timing of the escalation. It is helpful, if not expected, to have the escalation process documented to avoid such surprises, and the board should be comfortable with the process.
Indeed, when an incident occurs, it is prudent from a regulatory perspective to document when and how the board is informed and updated on a cyber event. By documenting this reporting and any updates, the company can help shield — or mitigate — potential lawsuits, SEC enforcement actions and shareholder derivative suits.
The Evolving Regulatory and Litigation Landscape
Recent regulations point toward an expanded role of boards in overseeing cybersecurity programs, and in particular how a board will be engaged to meet these compliance obligations in the case of a significant cyberincident.
For example, the recently effective second amendment to Title 23 of the New York Codes, Rules and Regulations, Part 500, by the New York State Department of Financial Services[2] requires timely reporting of significant cybersecurity events to the senior governing body overseeing the company's cybersecurity program, expecting the board to take a more active role in the event of a cyberincident.
Similarly, under the new SEC cybersecurity disclosure rules,[3] public companies must disclose in their annual report the board's oversight of the company's cybersecurity risks, including any board-level committee responsible for such oversight as applicable, and the processes by which the board or its relevant committee is informed of such risks.
Under the new SEC cybersecurity disclosure requirements for public companies, registrants are required to report a material cybersecurity incident on a Form 8-K within four business days after determining the incident is material. While the new cybersecurity disclosure requirements do not necessarily require board involvement, registrants frequently involve board members — or relevant committee members — when assessing whether and how to disclose a material cybersecurity incident.
In recent years, there have been several enforcement actions and lawsuits that have examined cybersecurity controls and board governance.
In actions stemming from cyberattacks, the SEC settled numerous cases, which all involved alleged misrepresentations about the company's security controls, the cyberattack and/or associated failures to maintain adequate disclosure controls.
The SEC also has a pending matter against SolarWinds — SEC v. SolarWinds Corp., in the U.S. District Court for the Southern District of New York — where it has brought civil claims against the company and its chief information security officer for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities in advance of the Sunburst cyberattack.[4]
These regulatory developments follow a series of shareholder derivative actions alleging claims "on behalf of the company" against officers and directors for purportedly failing to oversee the company's cybersecurity risks, in breach of their fiduciary duties.
For example, shareholders of SolarWinds filed a derivative action[5] against certain members of the company's current and former directors following disclosure of the Sunburst cyberattack, alleging that they failed to implement a system of corporate controls for overseeing the company's cybersecurity risks and overlooked purported "red flags" of cyberthreats against the company.
The Delaware Chancery Court granted the defendants' motion to dismiss the case,[6] based in part on the plaintiffs' failure to plead that the board allowed the company to violate "positive law" and that "absent statutory or regulatory obligations, how much effort to expend to prevent criminal activities by third parties against the corporate interest requires an evaluation of business risk, the quintessential board function."
While defendants in the SolarWinds litigation therefore successfully avoided liability, as cybersecurity and privacy rules and regulations continue to proliferate, it remains to be seen whether future derivative plaintiffs may have more success.
Challenges in Striking the Right Balance — Board Oversight vs. Management
As heightened expectations for board involvement in cybersecurity matters continue, striking the right balance for board involvement in cyberbreach responses is becoming more challenging as the lines are more blurred.
At what point does board engagement by asking probing questions, offering insight and providing suggested strategic direction in the response overstep the lines of day-to-day management of the incident response? By way of example, board members may participate in daily forensic investigation calls in order to receive real-time information, but the input they provide may be interpreted as more a "must do" than "may consider."
It can also be challenging for a board member who is experienced in either IT or cybersecurity, or has experienced a significant cyber matter for another entity, to not jump in, question the level of expertise of the company's cyber forensic investigator and "suggest" that the company to engage a second forensic firm. Second-guessing management's decision to engage a leading cyber forensic investigator may not only blur the line between management and oversight, but also could lead to conflicting investigatory findings and distracting the company from the necessary investigatory and remediation tasks.
Boards can also be tempted to dive into "what went wrong" while the company is and needs continued focus on "what happened" to prevent a similar occurrence. Requesting information, investigation and documentation into what went wrong can often not be in the company's best interest, in particular at the early stages of responding to an attack.
Of course, there are areas of a company's response where board input and even approval can be expected, for example, in ransomware attacks, seeking approval from the board to negotiate and pay a ransom up to a certain amount, should management deem it in the best interest of the company.
Nonetheless, the line between oversight and management has blurred given the pressure on boards to become more involved in cyber matters, and these lines will likely continue to become blurrier.
Board Training and Tabletop Exercises
Tabletop exercises continue to be a useful activity to further develop muscle memory when cyberattacks do in fact occur.
To date, most tabletops focus either on the technical aspects of a response, involving the company's information security and information technology teams, or executive tabletop exercises, involving the company's executives from various departments within the company, including not just information security and information technology, but also legal, communications, marketing, finance, human resources, operations, etc.
More recently, boards have become involved in tabletop exercises. This could be the result of the recently updated 2023 Director's Handbook on Cyber-Risk Oversight by the National Association of Corporate Directors and Internet Security Alliance, which stated that "[i]t is also advisable for directors to participate with management in one or more cyber breach simulations, or 'tabletop exercises.'"[7]
By including the board — or certain members of the board, such as the members of the board-level committee that oversees the company's cybersecurity program — in tabletop exercises, the board can gain a better understanding of potential cyberattack scenarios; the multitude of issues that arise while responding to a cyberattack; the company's incident response protocols, including how and when the board is notified; and can help board members better understand what their oversight role would look like in the event of an incident response.
Board involvement in tabletop exercises can take many forms. At the outset, it can be helpful for the board to receive a readout following an executive-level tabletop exercise, highlighting the key strengths and areas of improvement for management to focus on moving forward. Once the board understands how management is prepared to respond to an event and the results of its testing of these processes, it can be appropriate to bring the board in.
To achieve this result, companies are conducting training or tabletop exercises directly with board members. These tabletop exercises frequently involve a third-party expert, such as outside breach counsel and/or cyber consultants, facilitating the tabletop and walking the board through a simulated cyberincident to allow the board to test its oversight role at key inject points in the incident.
By way of example, using a scenario involving a ransomware attack that would significantly affect a company's operations, the tabletop exercise for the board would help identify relevant topics where the board would be expected to engage more deeply with senior management. This includes the remediation and restoration strategy — e.g., determining when the company will be able to bring back operations — and engaging with the threat actor and whether to make a ransom payment by deciding if a payment would accelerate recovery with the decryption key.
The form of the exercise is often less of a testing exercise and more of a training exercise as the board oversight role should be focused more on becoming informed rather than how to make decisions in the aftermath of an incident.
Practical Tips
While the board's oversight role in cybersecurity is seemingly becoming increasingly complex, there are several tangible steps a board can and should take to exercise effective oversight of the company's cyberbreach responses.
Regular reporting cadence and timely cyberincident communications.
Boards should ensure that they are informed of the nature and types of security incidents that are experienced by the company. This includes not only prompt escalation by management to the board for significant cyberincidents, but also some sort of regular reporting by management on various types cyberincidents on a quarterly basis — including those that may not be significant cyberincidents.
Documentation of the board's involvement in incident response.
Companies should take steps to ensure that their written incident response plans, processes or protocols outline the triggers for what type of incidents are escalated to the board or board committee, by whom, and when. Without adequate information and an established reporting cadence, the board cannot exercise its oversight role, which could expose the company — and its directors and officers — to unnecessary liability.
In light of the new SEC cyber disclosure rule, requiring disclosure to the SEC of a material cybersecurity incident on Form 8-K within four business days from the date of a materiality determination, companies should also review existing documentation to identify whether, when and how these determinations are presented to the board.
Develop a relationship and regularly engage with the chief information security officer.
Often, the chief information officer is the C-suite officer overseeing cybersecurity and the executive directly engaging with the board. While conversations with the CIO are often focused on the discussion of emerging technologies and data capabilities, there is a growing need to bring in the CISO to be part of these conversations and ensure cybersecurity is adequately part of the same dialogue.[8]
Regular board engagement with the CISO can help build trust between board members and the CISO, and this trusted relationship can go a long way when responding to a significant cyberincident.
Consider whether the board has the requisite cyber knowledge.
While there is no regulatory requirement that board members or a subset of the board maintain a specific level of cyber knowledge — in fact, the New York State Department of Financial Services decided against including this requirement in its final second amendment to its cybersecurity regulation — this skill set could be crucial as cybersecurity tends to be a unique, specialized expertise requiring at least a basic level of cyber literacy to adequately assess and oversee the cybersecurity program.
In a promising statistic, in the annual National Association of Corporate Directors survey of public company directors, 83% of respondents indicated that the board's understanding of cyber risk has significantly improved over the past two years.[9] That said, boards should be cognizant of not overly relying on the one director who may have cyber knowledge, whereas the other directors are not cyber-proficient.
[1] Cybersecurity Risk Management, Strategy, Governance & Incident Disclosure, 88 Fed. Reg. 51896 (Aug. 4, 2023).
[2] Second Amendment to 23 NYCRR 500 (amended Nov. 1, 2023).
[3] See supra n. 1.
[4] See Complaint, SEC v. SolarWinds Corp., Case No. 23-cv-09518 (S.D.N.Y. Oct. 30, 2023).
[5] See Verified Shareholder Derivative Complaint, Construction Industry Laborers Pension Fund, et al. v. Bingle, et al., Case No. 2021-0940-SG (Del. Ch. Ct. Nov. 4, 2021).
[6] See Memorandum Opinion, Construction Industry Laborers Pension Fund, et al. v. Bingle, et al ., Case No. 2021-0940-SG (Del. Ch. Ct. Sept. 6, 2022).
[7] See NACD and ISA's Director's Handbook on Cyber-Risk Oversight, Board Oversight Structure and Access to Expertise, p. 20.
[8] See NACD and ISA's Director's Handbook on Cyber-Risk Oversight, Board Oversight Structure and Access to Expertise, p.15.
[9] See NACD and ISA's Director's Handbook on Cyber-Risk Oversight, Board Oversight Structure and Access to Expertise, p. 23.