“Where was the Board?” is asked every time a major hacking causes yet another data breach. Data breaches and ransomware attacks occur every day, with massive impacts on companies’ finances, market value, and reputation. In fact, cyberattacks are estimated to cost companies between $400-500 billion a year. Long gone are the days of assuming that cybersecurity could be addressed only by the CIO, CISO, or the IT department. Just as boards oversee their company’s CFO and financial functions through the audit committee, boards must now oversee their company’s cybersecurity, as is becoming increasingly clear to board members. Nearly 90 percent of respondents in a National Association of Corporate Directors survey (NACD) reported that their boards discuss cybersecurity on a regular basis. However, a mere 14 percent of those same directors believe that their boards have a high level knowledge of cybersecurity risks.
This is problematic because cybersecurity is now a key function of boards, and boards can face direct legal liability when data breaches occur in the form of shareholder derivative suits. Not only can these suits be expensive and distracting to litigate, even…
