In the previous two installments of this series, we discussed the fiduciary obligation of officers/directors to proactively address cyber security and the legal basis for holding them personally liable if they fail to do so.
This third and final article explores the more difficult task of deciding which best practices directors should consider adopting. Because each enterprise faces unique challenges, this process requires that directors understand their company’s cyber security risk profile and the options available for mitigating the risk. When deciding which policies or procedures to adopt, boards should consider how their decisions will be viewed after an incident occurs.
Following a loss or serious data breach, the various interested parties – stockholders, regulators, customers, politicians, media, and courts – will seek to assign blame. This chorus of finger pointers will inevitably be looking through the distorted lens of hindsight. Directors will not be accorded the benefit of the doubt, the presumption of good faith will be thrown out the window, and a conscientious cost-benefit analysis will be characterized as a deliberate decision to sacrifice data security on the altar of corporate profits.