Cybersecurity and the risks of data breaches figured prominently at the 35th Annual Ray Garrett Corporate and Securities Law Institute held April 30, 2015, at Northwestern Law School in Chicago. Participating in a panel addressing Cybersecurity and Data Breach: The New Reality for Directors and Those Who Advise Them, Reed Smith partner Mark Melodia and several other panelists engaged in a wide-ranging discussion of effective board oversight of cybersecurity challenges facing their companies. Notably, this was the first time that cybersecurity issues were the sole focus of a Garrett Institute panel.
During his remarks, Mark stressed that boards must be engaged in oversight of a company’s cybersecurity enterprise risk management, as well as crisis management. In a widely publicized June 2014 speech given by Securities and Exchange Commissioner (SEC) Luis Aguilar, the commissioner threw down the gauntlet to directors of public companies, telling them that they needed to become active participants in overseeing their companies’ cybersecurity planning and preparation. As he put it, “directors should take seriously their obligation to make sure that companies are appropriately addressing [cyber risks].”
The panel discussed a number of best practices intended to ensure that companies are adequately prepared for a cyberattack and its aftermath, including responses to federal and state agency investigations, as well as the private civil litigation that inevitably follows the announcement of a data breach:
- Develop a framework for board involvement in the oversight of cybersecurity risk along with senior management
- Conduct a risk assessment and engage in data-mapping to identify the information assets that require protection
- Make sure that there is an information governance process in place that regularly reviews and enforces document retention schedules, since companies cannot lose information they don’t have
- Develop a plan to address a data breach when one occurs (Incident Response Plan)
- Test Incident Response Plans through mock security breach table-top exercises
- Engage in thorough vendor management, including third-party due diligence in vetting vendors, remembering that vendors have been at the root of a number of highly publicized data breaches, such as the Target breach
- Evaluate existing insurance, as well as security and data privacy policies that have been recently introduced in the market, to obtain the best coverage protection in the event of attack
These best practices apply to both private and public companies, as does the overarching obligation to practice good cyber governance.
Speaking at the same Garrett Institute program, the SEC’s Chicago Regional Administrator, David Glockner, emphasized that among the significant issues on the SEC’s enforcement agenda in 2015 is the adequacy of cybersecurity risk-disclosures in public company filings. Mr. Glockner’s remarks echoed similar comments he made recently when he described cybersecurity as being “high on our [the SEC’s] radar screen.” In other words, companies should anticipate a stepped-up level of SEC cybersecurity enforcement actions.