What level of responsibility does a board owe to a company with regard to the threat of cyberattacks? According to CIO, a very high level of responsibility. And if anything, a board’s responsibility is particularly unique.
Technology Reaches the Top
In the past, a company’s board has enjoyed relative anonymity and safety from the troubles of day to day management. Nary a company exists anymore that isn’t vulnerable to cyberattack — especially large companies. In the past, officers and board members could comfortably rely on the business judgment rule and some artsy dodging to avoid personal liability of decisions that went sour. The thought was this: “cyberattacks are IT’s problem, not ours.”
Paradise Lost
This sort of bury-your-head strategy is no longer countenanced by shareholders and is almost certainly a breach of board fiduciary duties. The CIO must inform the board about every potential weakness in the company’s network and cyber-presence. That’s his duty. Cybersecurity is no longer “niche.” The greater the potential loss, the more the CIO and board must do to address the problem of fixing the issue before an attack harms the company’s interests.
Business Judgment Rule
But even if an attack does happen, the business judgement rule can still shield board members from personal liability. This is because it marries notions of negligence with business proactiveness.
Since cyberattacks are no longer rare, the board is now obligated to act reasonably in the face of potential attacks. No one hopes for their embattlements to be tested, but one can, with due diligence, at least ensure that the invading hoards can’t make board members personally liable for leaving the drawbridge open.
Related Resources: