As boards of directors have become more focused on their fiduciary duties to oversee cybersecurity, new governance practices have begun to develop. For example, many companies have shifted cybersecurity oversight from the audit committee, which has more than enough other responsibilities, to the full board or to a risk oversight committee formed for that purpose. (See this Doug’s Note.)
These changes require that boards (and legal departments) reconsider the litany of duties contained in the applicable board committee charters so that they are accurately realigned and nothing falls through the cracks. Also, the question often arises as to how much detail to put in the relevant charter (whether audit committee, risk oversight committee or otherwise) regarding the cybersecurity responsibilities.
There are essentially three different ways to go when identifying board or committee cybersecurity oversight responsibility:
- A short statement declaring responsibility for risk oversight generally;
- A short statement specifically noting oversight responsibility for cybersecurity, privacy, data security and the like; or
- A separate, detailed list of cybersecurity-related duties.
Companies with even moderately complex operations or business lines should frequently reassess risk oversight within the board committee structure. For many companies, the dramatic increase in the duties audit committee must perform, along with the increased focus on risk management, warrants consideration of a separate risk oversight committee.
But no matter the board structure, the prominence of cybersecurity concerns in today’s world suggest that cybersecurity duties should be highlighted. By doing so, boards and management make cybersecurity a point of emphasis in every meeting and bring specificity to those oversight duties. Furthermore, they ensure that there is a clear allocation of responsibilities for cybersecurity oversight within the board and between the board and management.
The list of duties might include:
- assessing the likelihood, frequency and severity of cyber attacks and data breaches in the context of the company’s risk tolerance,
- reviewing management’s cybersecurity practices in the context of the company’s risk profile,
- confirming the adequacy of insurance coverage,
- overseeing the cybersecurity budget,
- overseeing the cyber incident response plan and resources,
- establishing appropriate frequency and content of management reports, and
- overseeing independent third-party assessments of the cybersecurity program.
Of course, duties should be added to, or deleted from, this list depending on each company’s particular circumstances and governance structure.