A board member is a serious role that holds specific duties and responsibilities. Those include being “duty-bound to oversee its overall cybersecurity management, including appropriate risk mitigation strategies, systems, processes, and controls.”
SPOKANE, Wash. (PRWEB)
December 07, 2022
In the past year, 45% of US companies have experienced a data breach.[1] On average, there is a cyber attack every 39 seconds.[2] No company is totally secure. And now, every board member can be held responsible for breaches. Never before has it been so important for Board Members to be aware of their organization’s cybersecurity.
Being a board member is a serious role that holds specific duties and responsibilities. Those include being “duty- bound to oversee its overall cybersecurity management, including appropriate risk mitigation strategies, systems, processes, and controls.”[3] Drip7’s Founder and CEO Heather Stratford works with leaders across industries preparing them in order to both secure their organization and protect board members from legal repercussions.
Leaders of organizations that are attacked can be subject to lawsuits and may stand trial when they don’t meet their fiduciary and oversight responsibilities. The 1996 landmark decision in Caremark, established a legal framework for holding directors personally liable.
Yahoo was the first large breach to have their board of directors held liable based on the Caremark decision. After Yahoo had two large data breaches, exposing over one billion user accounts, the California Supreme Court approved a 29 million dollar settlement in consolidated derivative litigation brought against the directors and officers of Yahoo, Inc.
Currently, there are several high-profile cases underway that are arguing to hold the board of directors liable under these same legal precedents. SolarWinds had a recent breach that names both current and past board of directors in the lawsuit as defendants.[4]
INCREASED CYBERSECURITY REGULATIONS ON THE HORIZON
Increasing regulations on both federal and state levels dealing with cybersecurity will force the evolution of the role of board members. In 2022, the SEC proposed new rules for cybersecurity as did the New York Department of Financial Services (NYDFS). More agencies and states will follow suit.
The Caremark case set a legal precedent that is being used increasingly in litigation. Present and past board members should be aware that they can be held personally liable in the event of a cyber breach. Understanding more about cybersecurity and spending more time with the CIO and IT team are a step toward ensuring more care and focus is placed on critical safeguards within an organization.
WHAT EVERY BOARD MUST DO
Heather Stratford, Founder and CEO of Drip7, speaks to boards regularly to help them improve their cyber posture and understanding. Here are 7 actions she recommends for every board of directors:
- Have an annual cybersecurity training at the board level.
- Have a regular IT update specifically on cybersecurity activity and monitoring, including a review of the last vulnerability assessment.
- Understand the key areas of the business that are critical to operation and what personal data the company holds and where.
- Determine when employee training is required. It should be consistent, reinforced, and at least monthly.
- Review the privacy and compliance standards for the organization’s specific industry and where the organization ranks.
- the main levels of the NIST framework and how the organization is matching up to the framework
- Review reports of areas noted in any penetration testing activities.
Board of director members need to protect themselves. They can be held personally liable for cyber breaches. Federal and state regulations are tightening to address the growing frequency and impact of cyberattacks. Boards of directors must learn to oversee cybersecurity and compliance practices appropriate to their industry. If you have not implemented all of these steps, reach out to Drip7 and Heather Stratford to learn more about protecting yourself and your organization.
ABOUT DRIP7
Drip7 is a leading innovator in the field of cybersecurity awareness training and beyond with an easy-to-use, mobile-based platform utilizing microlearning and gamification to increase employee engagement and create behavior change. Drip7 combines the right science and content to produce a superior training platform, from one question or “drip” a day to allowing employees to train when and where they want on their phone or computer, Drip7 engages users with an interactive dashboard, rewards, badges, and more. Included training is focused on cybersecurity and compliance; however, the platform can be customized by a company for any training need. For more information, please visit https://drip7.com/.
[1] https://www.comparitech.com/blog/vpn-privacy/data-breach-statistics-facts/
[2] https://securityaffairs.co/wordpress/138507/security/board-directors-liability-for-cyberattack.html
[3] deloitte.com/in/en/pages/risk/articles/the-changing-role-of-the-board-on-cybersecurity-noexp.html
[4] https://advisorsmith.com/business-insurance/cyber-liability-insurance/risks-for-directors-and-officers/#why-care
Share article on social media or email:
