Not a day goes by that headlines don’t have a story regarding the latest cyber breach, and the consequences experienced by customers and investors of the impacted company. Clearly these incidents highlight the importance of cybersecurity efforts not only by company management, but also by board of directors. In this guest post, Yelena Barychev, a partner at a multi-disciplinary law firm, and Jane Storero, a former VP at an energy provider, will explore the types of questions healthcare company boards should be asking regarding the cybersecurity efforts of their companies.
Cybersecurity is one of the top health industry issues of 2016. In January 2016, the Food and Drug Administration issued draft guidance on management of cybersecurity in medical devices as it was concerned about cybersecurity vulnerabilities for medical devices.
What are the board’s responsibilities with respect to cybersecurity?
This is the first question a board should ask. Every director owes fiduciary duties to the company and its shareholders which are derived from state corporate law. Generally, the corporate law of most states imposes a duty of care on corporate directors. This duty requires that the director act with due care in protecting the assets of the corporation, including intellectual property or information assets. From this duty of care comes the board’s obligation to oversee that management’s efforts in the area of cybersecurity are adequate to protect the company and its assets.
How should the board fulfill this oversight role?
This is the next question a board should ask. The role of risk oversight is typically considered a role for the full board, but some companies believe it should reside in the audit committee or risk committee, depending on industry specific factors and how the company is structured. It’s typically suggested that the board be briefed on cybersecurity matters no less frequently than semiannually, but quarterly updates to the board on cyber issues may be appropriate for some companies depending on the company specific factors.
The board should be discussing with management the frequency of the reports to the board on cyber topics and the areas that will be addressed in such reports. This will ensure the appropriate topics are discussed on a regular basis to assist the board in fulfilling its risk oversight duties with respect to cybersecurity.
The board should understand how the cyber risk is identified and addressed in the company’s risk dashboard. This is where management would identify the specifics of the risk, including the magnitude of the potential financial, reputational and other damage to the company if an attack is successful and the mitigation plan is in place to address such risks. This would include the restoration of the functionality of the company’s systems, as necessary, and the confidence of investors, customers and other constituencies.
Ultimately, the board should discuss the magnitude of the harm that a cyberattack can cause the company, as well as the company’s intended plans to address this issue. From this discussion, the board can assess whether management has the skills it needs to address the risk and also the adequacy of the mitigation plan. If the board doesn’t have the necessary skill set to evaluate the company’s cyber capabilities, the board should have an expert in this area provide advice on the adequacy of the plan.
Questions for boards to ask regarding a company’s cybersecurity plan include the following:
- How much is the company spending annually on cyberattack prevention and detection?
- What technologies is the company employing to detect and prevent cyber breaches?
- What has management done to train employees and contractors regarding security practices?
- What does the company do to insure that employees and others with access to the company’s IT systems have been following prescribed protocols?
- Are the company’s agreements with third party vendors appropriately modified to address responsibility for cyber breaches if caused by these vendors?
- Is the company following applicable regulatory guidance and requirements related to cybersecurity issues?
- What kind of insurance coverage does the company maintain for cyber incidents and what does it cover?
- Is the company’s D&O coverage sufficient to cover breach of fiduciary duty claims that may arise from a cyberattack?
Crisis management plan
Taking action to prevent cyber breaches is important, but it is equally critical for the company to have an adequate crisis management or incident response plan ready to be implemented in the event of a cyberattack.
Boards should ensure that the company’s plan clearly delineates roles and responsibilities. Questions the board should ask related to such crisis management plan include the following:
- What are the elements of the company’s crisis management plan?
- What executives have responsibility for implementing such plan?
- Have the employees responsible for implementing the plan been appropriately trained?
- Does the response plan address all critical areas like communications to customers and investors, governmental outreach and IT protocols for addressing and confining damage?
- What notifications are required to be given in the event of a cyberattack?
- Are notification protocols outlined in the plan?
Boards can take different approaches in the oversight of cyber risk and still fulfill their fiduciary duties. Cyber protections and planning for a cyber breach and recovery isn’t one-size-fits-all. Given the board’s role of oversight in this process, board members need to be sure they’re asking the right questions in order to effectively monitor management’s plans and progress in this critical area.
Yelena Barychev is a partner at Blank Rome LLP. She advises public companies on corporate and securities law issues, including risk management, cybersecurity and corporate governance matters.
Jane Storero held the position of Vice President – Corporate Governance and Secretary for Pepco Holdings Inc. with responsibility for Pepco’s SEC reporting and corporate governance function.