SEC: Cybersecurity is a Board Responsibility
The SEC has served notice to public companies that responsibility for data breaches may be laid at the doorstep of a public company’s board of directors because, like controls over of other assets, responsibility for information management safeguards is an obligation of the board. Listed companies and their directors, who may be named as defendants in shareholder derivative suits, would be wise to take notice and assess their organization’s information controls before there is a breach.
SEC Commissioner Luis Aguilar chose the setting of the New York Stock Exchange to deliver an address on June 10, 2014, entitled “Cyber Risk and the Boardroom.” After noting the plethora of data breaches involving public companies, Commissioner Aguilar observed that at least two corporations that suffered a data breach were involved in shareholder litigation. The suits allege, among other things, corporate waste with regard to the costs incurred by the company due to alleged failures to supervise information controls resulting in a massive data breach. Wyndham Worldwide Corporation, for example, is involved in shareholder litigation while at the same time facing a lawsuit brought by the FTC in 2012 as a result of Wyndham’s massive breach of customer data. In his remarks, Commissioner Aguilar signaled that the SEC is joining the Federal Trade Commission for double-barreled cyber-security enforcement at the federal level, in an attempt to promote information hygiene to protect sensitive information consumers and investors.
The Commissioner’s comments appear to signal more aggressive enforcement of regulations related to cyber-risk, particularly given his reference to the SEC’s April Cyber-Security Alert that announced spot examinations with regard to cyber risk safeguards. Commissioner Aguilar’s statement that the word “risk” in “risk oversight” for which a board is responsible includes cyber-risk, in addition to his reference to shareholder law suits following large data breaches, is highly significant for its implication that if penalties may not be large enough to get the attention of a board, risk of derivative suits naming directors as defendants surely will.
For more information about cyber-risk prevention, at the Board and management levels, breach response protocol implementation, and the availability of cyber-risk insurance, please contact Kenneth N. Rashbaum.