Ransomware and other types of cyber incidents are now commonplace discussion topics in boardrooms for companies large and small. Fear of exposure, disruption, and financial loss are leading contributors to the conversation. In fact, nearly three quarters of US CEOs in Price Waterhouse Coopers 24th Annual Global CEO Survey said they are “extremely concerned” about cyber threats. They even put it ahead of the pandemic and other health crises (46%).
But what are the potential implications of a cyber incident for executives? There is no universal answer, and the outcome is largely dependent on the situation and context. But what is clear are the standards to which executives are held accountable and the myriad of potential repercussions.
Executive Responsibilities
For any organization with shareholders (public or private) executives have a fiduciary responsibility to take reasonable measures required to protect company data and resources. This responsibility often extends to customers too, as they may include contractual terms that require adequate governance and protection of their data. For public firms, a breach could result in litigation that pursues executives at a personal level to recoup damages. In addition, known risk must be disclosed as a potential liability to shareholders and regulatory authorities.
So, what does this mean for executives trying to balance the many demands of running a business? It all comes down to understanding where cyber risk exists and what is being done to manage it. Much like going to the doctor for a physical to understand health risks, organizations need to evaluate risk and build a plan to address it. It’s imperative to adopt reasonable practices, which vary by industry, but at a minimum verify that management has implemented process and technology controls to effectively manage risk. As an additional check and balance, the executive board should periodically retain a 3rd party to evaluate risk across the organization and follow-through to ensure any gaps are addressed in a timely manner.
Mergers and Acquisitions
Another accountability component that is often overlooked is a merger or acquisition. While seemingly harmless on the surface, the potential exposure for executives has implications that transcend the tactical details of the transaction. The most recent annual Bar association study emphasizes the shift in focus as the number of deals with provisions that reference cyber security has increased dramatically. These changes mean that owners are “on the hook” for any non-disclosed cyber issues. In many cases, buyers are requiring attestation that there has never been an intrusion into the sellers’ systems and if there was, they want assurances that the intrusions did not materially impact company operations.
With cyber crime at an all-time high, executives have a vested interest in protecting company assets. Michael Khoury, a Partner at FisherBroyles, who specializes in cyber law, emphasizes the importance of executive involvement, “The focus and goal of executive engagement is to establish cybersecurity as a core business function that has the same level of support and accountability as any other.” He added, “This includes providing the funding and resources necessary to deliver results.”