As cyber risk facing companies of all sizes continues to grow, more corporate directors than ever appear to appreciate that their role as fiduciaries requires them to maintain sustained focus on data privacy and cybersecurity just as much as they oversee more traditional elements of enterprise risk management. But even as boards increasingly expand their oversight of cybersecurity programs, there is a growing likelihood that their oversight will be challenged in the courts and second-guessed by regulators. The continued growth in the scope and number of cyber incidents will lead to more scrutiny of a board’s oversight of a company’s preparedness, mitigation, response and resiliency programs. After describing the governing standards, this article proposes 10 questions that directors might ask to help meet these standards while minimizing potential liability for perceived shortcomings in corporate cybersecurity programs.
Duties of Directors
It is well established under corporate law in Delaware and elsewhere that part of a director’s duty of care to become and remain reasonably informed in making decisions…
