There is no doubt that the costs of a cyber incident can be staggering, with first party breach response expenses, business interruption loss, and third party litigation all having a noticeable impact on the bottom line. In some cases, the fallout may affect a brand’s reputation, strain a company’s ability to serve customers, or prevent a nonprofit organization from effectively fulfilling its mission. Given the existential threat posed by cyber risks, the issue has gradually risen from solely an IT department problem to one that concerns top-level management. In recent years, there have been several high profile shareholder derivative lawsuits aimed at directors and officers of publically-traded companies following data breaches, often alleging a breach of fiduciary duty, negligence, or gross mismanagement. Boards of directors for private companies and nonprofits alike have a duty of care to their organizations, and individual directors and officers may be held personally liable for their failures, negligence, or inaction. In an era where the prevention of cyberattacks is virtually impossible, it is imperative that boards recognize their exposure to cyber risk and proactively take the steps to manage it.
Here are some of the major topics that boards should contemplate when assessing and addressing their organizations’ cyber risk: