Oversight of Cybersecurity Matters Is Good for Business
The Global Risk Management Survey, which surveyed 2,000 public and private companies across a wide range of industries, places cybercrime/hacking/viruses/malicious codes as the fifth risk globally and the top risk in North America. The survey also projects that the risk of cybercrime will stay at these levels in 2020. Since the cyberrisk is clearly on companies' radar screens and not going away in the near future, boards of directors need to establish an effective governance structure to oversee cybersecurity matters and monitor management's plans and progress in this critical area. An effective oversight mechanism can also serve as a good defense of a board's business judgement in the event of a cyberbreach and related lawsuits claiming that directors breached their fiduciary duties.
In April, the parties in The Home Depot Inc.'s shareholder derivative action reached a settlement, and as part of that settlement, Home Depot agreed to adopt a series of measures with respect to its U.S. stores, referred to in the settlement as "Corporate Governance Reforms." This lawsuit relates to the breach of Home Depot's payment card data systems, as a result of which hackers stole the financial data of 56 million customers between April and September 2014, by using a third-party vendor's username and password to get into Home Depot's system. The claims alleged against Home Depot's directors and officers in the complaint included a breach of fiduciary duty and waste of corporate assets. The plaintiffs alleged that the defendants had "breached their duty of loyalty to Home Depot because the defendants failed to institute internal controls sufficient to oversee the risks that Home Depot faced in the event of a breach." On Nov. 30, 2016, the U.S. District Court in the Northern District of Georgia granted the defendants' motion to dismiss the complaint. On Dec. 28, 2016, the plaintiffs filed the notice of appeal to the U.S. Court of Appeals for the Eleventh District.
The corporate governance reforms reached as part of the settlement of Home Depot's shareholder derivative action are designed to keep the board sufficiently engaged in the oversight of cybersecurity matters, and involve the following measures:
- Home Depot shall document the duties and responsibilities of the chief information security officer (CISO);
- Home Depot shall periodically conduct table top cyber exercises to validate Home Depot's processes and procedures, test the readiness of its response capabilities, raise organizational awareness and train its personnel, and create remediation plans for issues and problem areas;
- Home Depot shall monitor and periodically assess key indicators of compromise on computer network endpoints;
- Home Depot shall maintain and periodically assess partnership with a dark web mining service to search for Home Depot information;
- Home Depot shall maintain the executive-level "Data Security and Privacy Governance Committee" or a comparable executive-level committee focused on Home Depot's data security, and shall document the duties and responsibilities of the committee;
- The board shall receive periodic reports from management regarding the amount of Home Depot's IT budget and what percentage of the IT budget is spent on cybersecurity measures;
- Home Depot shall maintain the incident response team and the incident response plan to address crises or disasters and periodically re-evaluate the plan;
- Home Depot shall maintain membership in at least one information sharing and analysis centers (ISACs) or information sharing and analysis organizations (ISAOs); and
- The board and the audit committee, which oversaw risks related to IT and data security, shall be authorized to retain their own IT, data and security experts and consultants, as they deem necessary.
The settlement stated that these corporate governance reforms should be maintained through at least Jan. 1, 2020, subject to either: a determination by a majority of the nonexecutive directors or the CISO and approved by a majority of the members of the audit committee that the measure is no longer in the best interest of Home Depot; or modifications that Home Deport reasonably believes are required by applicable law or regulation.
Prior to the 2014 breach, Home Depot's management informed its board of directors and the audit committee that "Home Depot was out of compliance with the PCI DSS [Payment Card Industry Data Security Standards] on multiple levels" and "would likely continue to be out of compliance until February 2015." To address this issue, the board adopted a plan that was expected to fix many of Home Depot's security weaknesses and was scheduled to be implemented by February 2015. Although the court acknowledged that "with the benefit of hindsight, one can safely say that the implementation of the plan was probably too slow, and that the plan probably would not have fixed all of the problems Home Depot had with its security," the court granted the defendants' motion to dismiss the complaint because directors exercised their business judgment in approving that plan. The court's opinion focused on the process adopted by the board and stated that the complaint detailed "numerous instances where the audit committee received regular reports from management on the state of Home Depot's data security, and the board in turn received briefings from both management and the audit committee." The court concluded that "the board was fulfilling its duty of loyalty to ensure that a reasonable system of reporting existed" because "under Delaware law, ... directors violate their duty of loyalty only 'if they knowingly and completely failed to undertake their responsibilities.'" The court further clarified that as long as directors pursued "any course of action that was reasonable, they would not have violated their duty of loyalty" because "directors' decisions must be reasonable, not perfect."
It is critical for the board to evaluate whether its cyber risk oversight is effective and assess a level of "maturity" of its cybersecurity oversight. A recent publication, "Assessing Cyber Risk: Critical Questions for the Board and the C-Suite," provides a suggested list of questions and responses assigned to high maturity, moderate maturity, or low maturity of cyberrisk oversight. For example, the first question on that list is, "Do we demonstrate due diligence, ownership and effective management of cyberrisk?" and responses that demonstrate a high maturity level of "accountability at the leadership level" echo Home Depot's corporate governance reforms and include the following:
- Board and C-suite hold a C-level executive accountable for cyberthreat-risk management and are responsible for overseeing the development of a cyberrisk program as well as confirming its implementation;
- Board and C-suite stay informed about cyberthreats and the potential impact on their organization;
- Board has one or more members—or appropriately leverages strategic advisers—who understand IT and cyber risks;
- An established senior management-level committee, or a hybrid committee consisting of management and board directors, that is dedicated to the issue of cyber risk, or an alternative senior management-level committee has adequate time devoted to the overall cyber program;
- Due diligence is evident in regular updates, budget analysis, and challenging questions to management.
The board should expect to receive a clear articulation of the current cyber risks facing all aspects of the business; a summary of recent cyberincidents, how they were handled, and lessons learned; road maps outlining how the company will continue to evolve its cybercapabilities to address cyberthreats; and meaningful metrics that provide supporting key performance and risk indicators of cyberrisks management, such as a percent of third parties assessed, severe vulnerabilities identified and addressed, the number of high-risk incidents per month, and average incident remediation time and status.
Cyberprotections and planning for a cyberbreach and recovery isn't a one-size-fits-all strategy, and boards can take different approaches to the oversight of cyberrisk to fulfill their fiduciary duties. Some measures included in the Home Depot's corporate governance reforms may not fit the governance structure of every company, but these measures underscore the importance of a thorough process and the Board's use of available resources in the effective oversight over cyberrisk management.
Reprinted with permission from the June 6, 2017, edition of The Legal Intelligencer © 2017 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, email@example.com or visit www.almreprints.com.