4 Jl Cyber Warfare 109

+ 2(,1 1/,1(Citation: 4 J.L. & Cyber Warfare 109 2014

Content downloaded/printed from HeinOnline (http://heinonline.org)Wed Mar 11 08:42:00 2015

-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and Conditions of the license agreement available at http://heinonline.org/HOL/License

-- The search text of this PDF is generated from uncorrected OCR text.

Strengthened Director Duties...

Strengthened DirectorDuties of Care for

Cybersecurity Oversight:Evolving Expectations ofExisting Legal Doctrine

Brad Lunn1

It is difficult to identify when an existingorder will change, and when the combined effectsof multiple, seemingly independent forces willcollude to bring about something new. We arereminded of this when a disruptive technologyenters a new field. Existing practices give way tonew realities and a return to the comfortable "old"way seems unimaginable. While corporate lawpractitioners have become comfortable with thesubstantial discretion provided directors underDelaware's interpretations of director duties and thebusiness-judgment rule, a transformation ofexpectations concerning director oversight ofcybersecurity and associated director liability is

'Brad Lunn is an executive in a leading Aerospace & Defense firm, and afounding member of the Defense Security Information Exchange (DSIE). Anexperienced board member, he served on a national governing body of the USOlympic Committee and was Audit Chair. He completed Harvard's flagshipprogram on Corporate Governance and is chief executive of a non-profitorganization focused on cyber-security oversight. Special thanks for thehelpful advice of Professor Lynne Dallas of USD Law School. All errors arethe author's alone.

[2014]

Journal of Law and Cyber Warfare

currently underway. To date, board oversight ofcybersecurity has been less than effective. TheNational Association of Corporate Directors'("NACD") 2012 conference featured a presentationthat described an "IT confidence gap" and notedmost directors between age 60 and 65 spend amajority of their professional lives in the pre-digitalera. The NACD presentation also disclosed that lessthan 1% of Fortune 500 directors have been or arecurrently chief information officers (CIO's) and thatIT is highly technical and difficult for mostdirectors to understand.2 Moving forward, corporatedirectors are well advised to anticipate thatemerging technology forces and corporate lawprecedent will pressure courts and regulators torequire directors to oversee cybersecurity withvigilance similar to that expected of legalcompliance professionals. In this new era, increasedcybersecurity-oversight duties and director liabilityare certain to lead to dramatic and importantchanges in corporate law. Their time will come-the question is when and by what means.

I. The Importance of Cybersecurity toCorporations

Corporate law will evolve to respond to thethreat of cyber-breaches. To see why, one only hasto look at current events with cyber intrusions.Perhaps most notably, Target Corporation (NYSE:2 Cybersecurity and the Board, October 15, 2012, National Association of

Corporate Directors, available at http://www.nacdonline.org (last visited Feb.25.,2014).

[2014]


TGT) suffered a massive data breach beginning inNovember of 2013, resulting in the loss of anestimated 70 million customer records includingcredit card information and emails. The event wasfollowed by declines in revenue, falling stockprices, layoffs, moral problems and the replacementof the CEO.3 The publicity of this event waswidespread and persistent. Home Depot (NYSE:HD) also allowed customer data to be lost inSeptember 2014 and in a company press release

4

noted the financial gross costs of about $62 Millioncovering the investigation, customer creditmonitoring and legal expenses, although theadditional damage to reputation and impact to thebrand are difficult to calculate. An October 2014cyber breach at JPMorgan Chase that is noted toaffect 76 million households5 highlights that thateven financial firms who were long thought to besafe are in fact vulnerable to cyber crime. TheFederal Reserve and the Department of Energysuffered cybersecurity breaches resulting inthousands of records being lost. 6 Similarly, Adobe

3 Meagan Clark, Timeline of Target's Data Breach and Aftermath: HowCybertheft Snowballed For The Giant Retailer, International Business Times,May 5, 2014, available at http://www.ibtimes.com, (last visited Oct. 18,2014).4 Home Depot, The Home Depot Completes Malware Elimination andEnhanced Encryption of Payment Data in all U.S. Stores, Sept. 18, 2014,https:Hcorporate.homedepot.com/... /Press%20Release.

5 Jessica Silver-Greenberg, JPMorgan Chase Hacking Affects 76 MillionHouseholds, N.Y. TIMES, Oct. 2, 2014, available athttp://dealbook.nytimes.com.6 Robert Lemos, Federal Reserve, DOE Confirm Hackers Breached Servers,Stole Data, EWEEK, Feb. 2, 2013, available at

[2014]


Systems recently announced that approximately 2.9million customer records containing credit cardinformation were accessed forcing the company toreset all passwords.

While consumer retail, financial andgovernment entities suffer highly public cyber-breaches, other industry groups are not immune.Cybersecurity breaches can impact customers andsuppliers, and cause intellectual property loss,identity theft, fraudulent transactions, damage toinfrastructure (including electric utilities, watertreatment, sewage treatment, industrial systemcontrol and even military readiness), and loss ofclassified and militarily sensitive information. Manycompanies are reluctant to disclose cyber-securityincidents because doing so may impact theirreputations, foster criticism, and increase liabilityfor meeting increased threats.

II. Cyber Crime is Different

Cybercriminals can engage in behaviorranging from teenager nuisance hacking, creatingannoying computer viruses, criminal extortion, andpolitical hacking to government-sponsoredespionage and all out cyber warfare. Those behindthese acts are commonly intelligent, creative and

http://www.eweek.com/security/federal-reserve-doe-confirn-hackers-breached-servers-stole-data! (last visited Feb. 25, 2014).7Adobe warns 2.9 million customers of data breach after cyber-attack, THEGUARDIAN, Oct. 3, 2013, available athttp://www.theguardian.com/technology/2013/oct/03/adobe-hacking-data-breach-cyber-attack (last visited Feb. 25, 2014).

[2014]


persistent, so defenses must evolve. Acybercriminal, however, could transfer all funds outof a corporate bank account, access and stealcorporate intellectual property, access confidentialclient records, steal and use customer credit cardand banking files, alter corporate accountingrecords, access and adjust medical files, changegrades, open flood gates at a dam, turn offmunicipal water pumps, or worse. While it'sunlikely a common criminal could enter a buildingand take millions of customer records, acybercriminal can leverage speed-of-light tools totheir advantage, and hide for years in a cloak ofdistant unnamed servers in multiple jurisdictions,and erase a decade of brand building overnight. Thevery fact that these crimes occur regularly 8 andoften involve enormous economic value makes itreasonable for corporate directors to pay closeattention. Said another way, it might be challengingto assert that a reasonably informed board isunaware of today's substantial cybersecurity issuesaffecting organizations of all kinds.

III. A Complex and Regulatory Environment

The legal profession is now recognizing thatcyber threats are widespread and serious. TheAmerican Bar Association published its firsthandbook on cybersecurity in 2013. It states,"according to PriceWaterhouseCoopers, hacking

8 The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms,and Business Professionals 201-06 (Rhodes & Polley eds., 2013).

[2014]


has become so prevalent that major organizationsshould assume that their systems have beencompromised and proceed from that assumption intesting and improving their defenses." 9 While it isdifficult to imagine that informed businessprofessionals are not aware that cybersecurityevents occur regularly, it is not difficult toappreciate that directors will find it difficult tomonitor cyber-security risks, since they are notfamiliar with this difficult-to-understand subject.Difficulty, however, does not mean competentmonitoring is not required. Just as financial controlswere not universally understood by directors pre-Sarbanes Oxley and Enron, that lack of a firm graspof financial controls did not mean oversight was notrequired, but rather that the oversight lackedadequate attention and expertise, which was lateraddressed through regulation and litigation.

Similarly, many important regulatoryentities are now focused on cybersecurity. TheSecurities and Exchange Commission ("SEC") andthe Federal Trade Commission ("FTC") haveweighed in on cybersecurity regulation. Publiccompanies are subject to certain mandatorydisclosure requirements set forth in the SecuritiesAct of 1933 and the Securities Exchange Act of1934 and in regulations promulgated under suchacts. 10 The Securities and Exchange Commissionrecently issued a bulletin providing guidance and

9 Id. at 173.'0 17 C.F.R. 240. 10b-5.

[2014]


clarifying operating risks that include cyber risks.11

Under SEC requirements, newly described"disclosure controls" applying to both financial andnonfinancial information require Form 8-K to befiled with the SEC within two business days of anevent's occurrence. The new requirement putsmanagement on clear notice that events potentiallyhaving a material effect on the business oroperations must be disclosed quickly. "These newrules, and proposed SEC rules acceleratingreporting deadlines for filing required reports, placea new burden on reporting companies to developand adopt adequate disclosure controls andprocedures. The SEC expects each issuer to developa process that is consistent with its business andinternal management and supervisory practices.Thus, every reporting company should formalizeand document the disclosure controls andprocedures that it adopts as well as the methodologyfor evaluating those controls and procedures."

12

Given that computer systems are either central to acompany's operating model, such as Amazon oreBay, or a substantial support system, such as banksor manufacturers, such systems can be both

1 Regulation Systems Compliance and Integrity, Securities and ExchangeCommission, Mar. 7, 2013, 17 CFR Parts 242 and 249, Release No. 34-69077,available at https://www.sec.gov/rules/proposed/2013/34-69077.pdf (lastvisited Feb. 25, 2014).12 James E. O'Connor, Data Security & Privacy Law, 10:4, WestlawNext,Database updated June 2013.

[2014]


financial and nonfinancial. Computer-system risksmust be disclosed. 13

The regulatory environment beyond the SEChas grown to include the FTC's oversight of identitytheft, and its notable concept of "red flags." Arecent law journal notes "One example of theregulatory landscape governing IT risk is theFederal Trade Commission's 'Red Flags Rule'requiring certain companies to implement anidentity theft program. Under the rule, financialinstitutions subject to FTC oversight and allcompanies-both private and public-that extendcredit to their customers must have a written plan inplace to detect and respond to identity theft. Theplan must identify the red flags inherent to aparticular company's operations, such as scenariosin which there is risk for exposure of sensitivecustomer information or in which there areindicators that customer data may have already beenbreached." 14 Identity theft is only one of many

I Id. The actual text states "Any risk factors that would materially affect thosecomputer system also will have a material effect on the business andoperations of these companies. Based on the importance of computer systemsto most businesses, companies are required to disclose the risks associatedwith installing, operating, maintaining and replacing or upgrading thesesystems, at least to the extent that these risks are unique in certain respects tothe specific company or could have a materially adverse effect on thecompany's business. The risks to these computer systems includecybersecurity, and events related to its failure to protect such systems frominternal and external threats. This disclosure obligation, coupled with the risksthemselves, compel companies to do their best to limit such associated risks,both to systems they own directly and systems that a service provider mayown or operate."14 Lawrence J. Trautman & Kara Altenbaumer-Price, The Board'sResponsibility for Information Technology Governance, 28 J. VARSHALL J.COMPUTER & INFO. L. 313, 336 (2011).

[2014]


different cybersecurity issues. The line between"required oversight" and simply good practice isincreasingly uncertain.

A large firm operating in multiplejurisdictions faces more legal considerations inoverseeing its cybersecurity. The American BarAssociation notes numerous federal and statestatutes and regulations relating to cybersecurity.

15

The federal statutes and regulations include theElectronic Signatures in Global and NationalCommerce Act, Federal Trade Commission Act,Gramm-Leach-Bliley Act, HIPPA, HomelandSecurity Act of 2002, and six others. States havemany other requirements. The author identified 140rules addressing obligations to provide security forcredit card information, data disposal/destruction,the duty to encrypt personal information, securitybreach notification, SSN laws, and SSN policies.The legal landscape is complex indeed-heightening the importance of appropriatecompliance.

IV. Negligence Theory and Cybersecurity

Negligence theory requires an analysiscomparing duty to actual behavior deemed tobreach the required level of care in thecircumstances. A dated but famous case, The T J.

16Hooper , set in the early 1930's, involved the

15 The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms,and Business Professionals 201-06 (Rhodes & Polley eds., 2013).16 The T. J. Hooper, 60 F.2d 737 (2d Cir. 1932).

[2014]


sinking of a coal ship at sea. In Hooper the ship wasnot equipped with a recently developed technicalinnovation, namely radio systems that would haveallowed the ship to know of an approaching stormand then simply maneuver to safe waters in advanceof the approaching danger. The equipment wasavailable and relatively inexpensive, yet it was not auniversal or commonly implanted as standardequipment in those days. The operator of the shipargued that there was no standard in the industrythat mandated such use of radios and that there wasno common practice for the same. The judge in hisopinion wrote "Courts must in the end say what isrequired; there are precautions so imperative thateven their universal disregard will not excuse theiromission." 17 While cybersecurity was not thesubject of the Hooper case, the logic the court usedhas strong parallels to cyber oversight, in whichdangers and technologies are evolving rapidly.Courts and regulators will not likely overlook theseanalogous situations.

V. Negligence Theory and FoundationalCorporate Law

The Third Restatement of Torts notes thatthe "Primary factors to consider in ascertainingwhether the person's conduct lacks reasonable careare the foreseeable likelihood that the person'sconduct will result in harm, the foreseeable severityof any harm that may ensue, and the burden of

[2014]


precautions to eliminate or reduce the risk ofharm." 18 With respect to corporate law, thequestions to ask include:

1) What exactly are the duties of adirector?

2) What is expected of them under thelaw?

The Model Business Corporations Act("MBCA"), which has been adopted by many statesin some version, defines a standard of conduct fordirectors that requires them to act in good faith, actin the reasonable interests of the corporation, andbecome informed with respect to their oversightrole. It also requires due care. 19 Corporate law looks

20to reasonable processes, not outcomes per se.What is "reasonable" is a question of corporate law18 Restatement (Third) of Torts, Liability for Physical Harm 3 (P.F.D No 1,2005), available at www.law.cornell.edu/wex/negligence (last visited Aug.28, 2013)."9 Model Business Corporations Act (MBCA), 8.30, available athttp://users.wfu.edu/palmitar/ICB Corporations-Companion/Conexus/ModelBusinessCorporations Act.pdf (last visited Feb.25, 2014). The specific language states "(A) Each member of the board ofdirectors, when discharging the duties of a director, shall act: (1) in good faith,and (2) in a manner the director reasonably believes to be in the best interestsof the corporation (B) The members of the board of directors or a committeeof the board, when becoming informed in connection with their decision-making function or devoting attention to their oversight function, shalldischarge their duties with the care that a person in a like position wouldreasonably believe appropriate under similar circumstances."

21 Id. In the official notes at 110 "Section 8.30 sets forth the standards ofconduct for directors by focusing on the manner in which directors performtheir duties, not the correctness of the decisions made." In essence, the courtsdo not, as a rule, endeavor to hold a director accountable for bad outcomes,but rather a to reasonable process that went into making a reasonable decisionunder the circumstances at the time of the decision.

[2014]


that accounts for the circumstances the board faces.The MBCA's official notes explain, "The phrase'reasonably believes' is both subjective andobjective in character. Its first level of analysis isgeared to what the particular director, acting ingood faith, actually believes-not what objectiveanalysis would lead another director (in a likeposition and acting in similar circumstances) toconclude. The second level of analysis is focusedspecifically on 'reasonably.' While a director haswide discretion in marshaling the evidence andreaching conclusions, whether a director's belief isreasonable (i.e., could-not would-a reasonableperson in a like position and acting in similarcircumstances have arrived at that belief) ultimatelyinvolves an overview that is objective incharacter." 21 Boards and individual corporatedirectors are not expected to make perfect decisions,but rather to act reasonably under thecircumstances. Corporate law refers to these dutiesas the duty of care and duty of good faith. Thecourts have also fashioned the "business judgmentrule" ("BJR"), which is a presumption insulatingdirectors from liability if they exercise good faith inthe exercise of their judgment when just judgmentsturn out, in hindsight, to be harmful to thecorporation. 22 "Delaware's default standard ofreview is the business judgment rule. The rulepresumes that in making a business decision thedirectors of a corporation acted on an informed21 Id. at 112.22 Potter v. Pohlad, 560 N.W.2d 389, 392 (Minn. Ct. App. 1997).

[2014]


basis, in good faith and in the honest belief that theaction taken was in the best interests of thecompany. This standard of review reflects andpromotes the role of the board of directors as theproper body to manage the business and affairs ofthe corporation. Unless one of its elements isrebutted, the court merely looks to see whether thebusiness decision made was rational in the sense ofbeing one logical approach to advancing thecorporation's objectives. Only when a decisionlacks any rationally conceivable basis will a courtinfer bad faith and a breach of duty.",23 A partyclaiming damages against a board of directors'decision must rebut presumption that board'sbusiness judgment was an informed one.2 4Determination of whether a board of directors'business decisions is informed "turns on whetherthe directors have informed themselves, 'prior tomaking business decision, of all materialinformation reasonably available to them.', 25 Thisimportant holding demonstrates an affirmative dutyto become informed. Furthermore, the court goes onto say, "Under the business judgment rule there isno protection for directors who have madeunintelligent or unadvised judgment. A director'sduty to inform himself in preparation for a decisionderives from the fiduciary capacity in which he

23 In re Trados Inc. Shareholder Litigation, 73A.3d 17 (Del. Ch. Aug. 16,2013).24 Smith v. Van Gorkom, 488 A.2d 858 (Del. Supr. 1985).25 Id. at 872.

[2014]


serves the corporation and its stockholders. 26 Thisis powerful language.

A case called Caremark27 introduced theconcept of "red flags" to director oversight. InCaremark the defendant company had a history oflegal-compliance issues and faced derivativelitigation plaintiffs believed breached director duty.The court noted that the "Board of directors maynot satisfy obligations to monitor corporation'sactivities, which was part of its duty to bereasonably informed regarding corporation's affairs,without members assuring themselves thatinformation and reporting systems exist in theorganization that are reasonably designed to provideto senior management and to the board itself timely,accurate information sufficient to allowmanagement and the board, each within its scope, toreach informed judgments concerning both thecorporation's compliance with law and its businessperformance."

28

26 Id. at 872.

27 In Re: Caremark Intern. Inc. Deriv. Lit., 698 A.2d 959 (Del.Ch. 1996).21 Id. at 960, 10. The court also gave substantial insight into its reasoning thatreflects upon the notions of court oversight of business decisions and theemphasis on process versus outcomes. It said "a director's duty of care cannever appropriately be judicially determined by reference to the content of theboard decision that leads to a corporate loss, apart from consideration of thegood faith or rationality of the process employed. That is, whether a judge orjury considering the matter after the fact, believes a decision substantivelywrong, or degrees of wrong extending through "stupid" to "egregious" or"irrational", provides no ground for director liability, so long as the courtdetermines that the process employed was either rational or employed in agood faith effort to advance corporate interests. To employ a different rule-one that permitted and "objective" evaluation of the decision' world exposedirectors to substantive second guessing by ill-equipped judges or juries,which would, in the long-run, be injurious to investor interests."

[2014]


So while Caremark introduces the conceptof "red flags," legal doctrine evolves from whatcould be called a "director passive" model, whichallows directors to wait until red flags clearlyappear, to what might be termed a "director active"model, which requires that an information-gatheringsystem be used to discover problems requiringboard attention. Stone v. Ritter, an important caseembodying this concept, was tried and appealed inDelaware in 2006. The Stone court held that "...Caremark articulates the necessary conditionspredicate for director oversight liability: (a) thedirectors utterly failed to implement any reportingor information system or controls; or (b) havingimplemented such a system or controls, consciouslyfailed to monitor or oversee its operations thusdisabling themselves from being informed of risksor problems requiring their attention. In either case,imposition of liability requires a showing that thedirectors knew that they were not discharging theirfiduciary obligations. Where directors fail to act inthe face of a known duty to act, therebydemonstrating a conscious disregard for theirresponsibilities, they breach their duty of loyalty byfailing to discharge that fiduciary obligation in goodfaith." 2' Additionally, and for clarity on this crucialpoint of law, Justice Holland opined "In this appeal,the plaintiffs acknowledge that the directors neither"knew nor should have known that violations of lawwere occurring," i.e., that there were no "red flags"21 Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 363, 365 (Del.2006).

[2014]


before the directors. Nevertheless, the plaintiffsargue that the court of chancery erred by dismissingthe derivative complaint which alleged that "thedefendants utterly failed to implement any sort ofstatutorily required monitoring reporting orinformation controls that would have enabled them

,,30to learn of problems requiring their attention.The opinion reiterated that, for directors, good faithand the duty to be informed are linked. "In theabsence of red flags, good faith in the context ofoversight must be measured by the directors' actions'to assure a reasonable information and reportingsystem exists' and not by second-guessing after theoccurrence of employee conduct that results in anunintended adverse outcome., 31 Corporate directorsneed to note the critical requirement that requirestheir active engagement as a condition of fulfillingtheir legally mandated duties.

As a practical matter, it is important todistinguish between a breach of the duty of care andthe duty of loyalty or good faith. The liability fordirector breach of the duty of care can be limited inthe articles of incorporation, but no suchexculpation is possible for a breach of the duty ofloyalty or good faith.32 A finding that directorsbreached their duty of loyalty or good faith canhave a direct impact on director liability.

'0 Palmiter and Partnoy, Corporations 607 (2010)."Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 971 (Del. 2006).12 Jeffrey D. Bauman, Delaware General Corporation Law 352 (2011).

[2014]


Systematic disregard of importantinformation by act or omission is not insulated incertain situations. "The widely cited Caremarkdecision analyzed the circumstances in whichdirectors might be held personally liable for failuresto exercise sufficient oversight over corporateaffairs. That decision articulated a standard ofliability keyed to whether the plaintiff demonstrates'a sustained or systematic failure of the board toexercise oversight-such as an utter failure toattempt to assure a reasonable information andreporting system exists.' 33 Such rulings suggestthat a board cannot wait for a red flag, and that ithas an affirmative obligation to be well informed.While a director is entitled to rely on managementreports, if such reports are inconsistent with what areasonable director knows to be true, directors arenot entitled to rely on reports they reasonablysuspect are inaccurate. The concept of boards usinga reasonable "information or monitoring system"supports the basics of corporate governance,specifically directors' duty to be well informed,particularly on factors that in and of themselvesshould grab reasonable directors' attention.Corporate legal doctrine requiring directors to havean information system allowing them to gatherneeded information aligns to negligence theory interms of reasonable foreseeability; thus, thegovernance and negligence doctrines fit together

" Gorris, Hamennesh et al., Delaware Corporate Law and the ModelBusiness Corporations Act: A study in symbiosis, Widener Law School LegalStudies Research Paper Series no. 11-15, March 25, 2011 SSRN.

[2014]


naturally. The business-judgment rule noted earlierprovides protection for corporate directors whoexercise their duties in good faith-if they act on aninformed basis. To overcome the BJR presumption,a successful plaintiff must prove defendants' actionswere grossly negligent. Gross negligence in thecorporate context requires showing "recklessindifference" or "deliberate disregard, 34 whichmay include acts and omissions caused in part bynot having a reasonable system to inform directorsof important information, which we know includescybersecurity matters.

In another early warning of changes tocome, the successful corporate law firm ofWachtell, Lipton, Rosen and Katz ("WLRK"),which has vigorously defended corporate clients foryears commonly arguing against activist-orientedcorporate governance agendas and practices,supports the notion that the board should "...determine the company's risk appetite (financial,safety, reputation, etc.), set state-of-the-artstandards for managing risk and monitor themanagement of those risks,",35 and to "set state-of-the-art standards for compliance with legal andregulatory requirements, monitor compliance andrespond appropriately to "red flags."36 Notably,WLRK also foresaw the possibility of boards beingheld to an expanded standard of care. "To date our

14 O'Connor, supra note 12.15 Memorandum, The future of Corporate Governance and the Board ofDirectors, Nov. 17, 2010, Wachtell, Lipton, Rosen & Katz.6 Id. at 2

[2014]


courts, even in cases involving multi-billion-dollarlosses by financial institutions, have continued toadhere to the customary Caremark-case standard fordetermining whether directors have met their dutiesof care. Earlier this year, however, the EuropeanCommission, in a consultation paper seekingcomments on options to improve corporategovernance in financial institutions, suggestedstrengthening 'legal liability of directors via anexpanded duty of care.' And the possibility thathigher standards of care could eventually beimposed not only on directors of financialinstitutions, but on directors of all corporations, isreal. Specialized committees, use of expertconsultants, tutorials and expanded directoreducation programs will go a long way to enableboards to meet even a strengthened duty of care."37

The legal parallels between the Caremarkand Stone v. Ritter precedents and expansion ofregulatory controls into the cybersecurity realm arewell aligned. While boards and directors are notexpected to be cybersecurity experts, they areexpected to oversee firm imperatives similar tofinancial controls, legal compliance, and othermatters. In this modern era, cybersecurity issuesfaced by any organization are reasonablyforeseeable. Directors are required to makedecisions on a well-informed basis and to have anappropriate information system on which to base

Id. at 3

[2014]


decisions and judgments. Recall that boards cannotwait until red flags emerge; the existence of redflags indicates that oversight is needed-havingbeen detected in some fashion they are no longersimply a reasonably foreseeable risk exposure.

VI. Cybersecurity Red Flags

So, what is a cybersecurity red flag?Examples include a pattern of penetrations orsimilar cyber events, a stated or known targeting ofthe firm, and perhaps even the possession of certain"cyber assets" of such value that it is reasonable topresume they will be actively targeted. Thecombinations are almost endless.

A. Hypothetical Scenario

Let's place ourselves in a situation of ourown design. You are a director for ABC Companyand are on the audit committee. ABC is a successfulpublic company. The board has not received abriefing on cybersecurity as a part of its oversight,nor is cybersecurity discussed in the busy agenda.Cybersecurity is not on the annual board agenda.The CEO advised the board that outsiders accessedthe company's network and early indicationssuggest information was stolen. He also noted that itseems like the same group that has accessed thesystem the last three times over two years butnothing was stolen in those events. You were notpreviously aware of these "other" incursions. Whatare the governance issues here? (Ignore for a

[2014]


moment the issues that result from the fact thatthese cyber events and related risks were notdisclosed in company filings, as you were unawareof them.)

Did the board act reasonably in dischargingits duties? Did the board exercise appropriateoversight, or become adequately informed on thesematters? Was the event reasonably foreseeable? Didthe fact that the CEO thought the same group wasinvolved in penetrations previously over a period oftime give a reasonable person reasonable doubt thatthe systems were still secure? What if the CIObelieved the company would be penetrated againunless certain actions were taken, but such actionswere not implemented? How does this affect thesituation? How does the value of what was stolenenter the equation? Would your opinion change ifyou learned that the information stolen affected 10million people likely to suffer issues of identitytheft and financial losses for years? What if theinformation stolen provided key insights into howbanks protect their communications andtransactions globally, or it was sensitive militarydata giving adversaries an advantage in battlefieldconflicts for the next two decades? Let's say thecyber issues immediately preceded a substantialstock price reduction and are threatening futurerevenues?

The answers, and thus oversight, arecomplicated and circumstance driven. What is

[2014]


reasonable depends on the circumstances, so it isnot sufficient to assume there is a "one size fits all"cyber-oversight approach. Clearly the value ofwhat's being protected or the impact of its loss has arole in deciding what is reasonable under thecircumstances.

A few questions the board's counsel willlikely ask: what was the board's duty to overseecybersecurity, and what evidence exists thatoversight was performed reasonably? Is itreasonable that the board did not have cyberoversight on the agenda given a history of intrusionsand the presence of valuable cyber-assets? Would areasonable board inquire about cybersecurity inthese circumstances, and if so, how would asufficient inquiry be accomplished?

B. Reasonable Cyber Oversight

The question directors should ask is "whatshould we do under the circumstances?" What willit take to fulfill the directors' duties of care, loyaltyand duty to act on an informed basis? How does aboard avoid creating systematic, sustained orotherwise negligent acts or omissions in how itperforms oversight? Recall that courts focus on theprocess used by the board to reach a decision, ratherthan the decision or outcome itself. For thecompany's directors to avoid liability, a court willneed to find that the board used a rational process,that the decisions were made on a well-informedbasis, and that decisions were an outcome of that

[2014]


reasonable process under the circumstances facedby the firm and its board. Boards and managementshould not assume this is simple. Risk managementin general is difficult and cyber risk management isforeign to many directors. A Harvard BusinessReview article notes, "Risk management focuses onthe negative-threats and failures rather thanopportunities and successes. It runs exactly counterto the "can do" culture most leadership teams try tofoster... ,,38 The same "can do" enthusiasms can laythe seeds to say "that can't happen to us" until itdoes.

Since courts tend to balance noninterferencein corporate management with providing reasonableboundaries for acceptable behavior, the law hasdeveloped "tests" over time that provide the basisfor decision making39 without being excessivelyprescriptive. The author has not found any testcourts have applied to date for cyber oversight;however, it is reasonable to expect such tests toemerge. The challenge is that threats evolveconstantly, and what is sufficient oversight at onetime may quickly become obsolete. The authorsuggests that the following five factors beconsidered when evaluating appropriate cyberoversight by the board:

'8 Robert S. Kaplan & Annette Mikes, Managing Risks: A New Framework,

Harvard Bus. Rev. 13, Jun. 2012, available at http://www.hbr.org.Cybersecurity issues are commonly broken down into matters concerning

loss of confidentiality, loss of data integrity, or the loss of system availability.

[2014]


1. Systematic Board Oversight Process: Doesthe company employ a state of the art riskmanagement process that is highly responsive,anticipates events, seeks independent views, isappropriately trained in cybersecurity, and hasaccess to appropriate staff and advisors.

2. Probability of Loss: How likely is a loss?Consider previous penetrations or events andnew or emerging threats and mitigatingdefenses. An objective and independent opinionis generally preferable.

3. Value of Loss: What is the potentialconsequence of each loss, and the total of alllosses combined. What are the cyber assets andwhich are most valuable? Consider immediateand downstream consequences, includingdifficult-to-quantify, reputational, goodwill,supplier, shareholder, and customer impacts.

4. Existence of Ultra-High-Value Consequences("UHVC"): Are there some cyber risks that,even with low probability of occurrence, if theyoccur could threaten life, corporate existence,grave danger to national interests, or portendsimilar outcomes the impact of which is utterlyunacceptable.

5. Burden: How difficult is it to become informedof the cyber-risks and relevant facts, and employprocesses, procedures, people and technology to

[2014]


oversee and mitigate risks, even if suchmitigation is imperfect?

If the loss probability multiplied by the loss-event value exceeds the burden (mitigation costs),such mitigations should be implemented. Thegreater the gap, the more important the mattershould be to the company. The existence of someultra-high-value risks warrants special considerationon a case-by-case basis, since some losses cannot bepermitted (withstood) under almost any situation.Special care must be afforded to these special cases.Given that the burden of basic director educationand oversight is relatively low, it is difficult toassert that such investments are not reasonable ifhigh-value losses are possible.

C. Recommendations

How many cyber red flags are too many?Can a board wait until red flags emerge beforeliability attaches? At what point is a line crossedthat escalates facts from "unpredictable event" to"basic negligence" to "lack of good faith"? Theexistence of cyber red flags is not, in itself, anindication of director liability or ineffectiveoversight, but rather paints an emerging picture ofthe challenges facing the board; how the boarddischarges that challenge, or its failure to do so,creates the breach to which personal liability mayattach. It depends on the circumstances, but thesesimple factors will provide directors, regulators and

[2014]


courts a framework in which to consider the trade-space.

In the face of these cyber-security challenges, whatfactors might mitigate director liability? Is theabsence of well-considered efforts to overseecybersecurity itself a red flag? Recommendedcyber-oversight activities and actions include:

i. Have a clear, written board charter forcybersecurity oversight notingresponsibilities and scope. The charter issimilar to a well-considered AuditCommittee charter or in some cases is anelement in the Audit Committee charter. Is aspecialized committee warranted?

ii. Corporate Policies & Processes covering themany elements of cybersecurity.

iii. The implementation of a director educationprogram on cybersecurity.

iv. The recruitment of directors withcybersecurity skills, knowledge and abilitiesconsistent with the threats the companyfaces.

v. The use of outside advisors with specializedskills.

vi. Attainment of appropriate security ortechnical certifications by key staff,overseen by the board and top management.

vii. The existence of employee communicationand training programs appropriate for threatsthe company faces.

viii. Regular, systematic board engagement incyber oversight, similar to internal auditconsideration of policy, practices, reporting,

[2014]


and resource sufficiency as the result of asystematic risk management process.

ix. Appropriate documentation of the above anda systematic methodology for continuousimprovement.

VII. Conclusion

Corporate law will evolve to hold corporatedirectors more accountable for cybersecurityoversight. Serious cybersecurity threats are acommon and growing risk to corporate value, andbreaches or failures to protect these computersystems and their data can have grave consequencesto a firm's future. Directors have duties of care andloyalty, and the obligation to act on a well-informedbasis on important issues impacting corporateaffairs. Regulations mandating everything fromdisclosure of risks to quick disclosure of negativeevents, to specific technical requirements forsystem/data security are growing, and this is wellknown to reasonably well-informed directors.

If a board is found to have systematicallyignored such cybersecurity red flags, or utterlyfailed to design an information system to ensure thatthe board is well informed with respect tocybersecurity, and if such failure is a contributingcause of corporate loss, the author believes that areasonable court would find director breach of theduty of care and loyalty, to which director liabilitywould attach. The point is that directors are

[2014]


expected to be aware and proactive in theiroversight, and not idle until cyber disaster strikes.

The good news is that boards can takeproactive steps to improve their oversight and thusreduce liabilities without imposing an unreasonableburden on their already demanding role. Discussionat the board level of cyber-security and relatedrisks, the development and use of appropriatemetrics, and policies at all levels and the use ofappropriate experts in a manner that is similar towhat they are familiar with in their oversight offinancial controls is a good start. While directors arenot expected to be cyber-risk or technology experts,they are fully expected to appropriately overseeimportant corporate affairs on an informed basis,and in this modern era, it certainly includes

40cybersecurity for almost all organizations.

" This article is not legal advice. Engage appropriate legal council.

[2014]

Documents

4 Jl Cyber Warfare 109