We are long past the point where cybersecurity can be treated like an emerging, obscure or peripheral issue. The fact is that cybersecurity is now an important concern for every organization and enterprise. For that reason, cybersecurity is also now an important concern for everyone responsible for protecting and guiding those organizations and enterprises, including in particular corporate directors and officers. In the current environment, there is no shortage of advice available for these corporate officials as they seek to understand and fulfill their responsibilities to their organizations. Indeed the sheer volume of information available can be confusing or even overwhelming. Fortunately, there is now a single volume guide available to help corporate directors address their organization’s cybersecurity exposures and needs. The new book by Paul Ferrillo of the Weil Gotshal law firm entitled “Navigating the Cybersecurity Storm: A Guide for Directors and Officers” (here) is a readable, well-organized, and helpful guide for any corporate official seeking to address their cybersecurity responsibilities.
Corporate officials of course have many responsibilities. But as Ferrillo notes, “unlike many other aspects of directing the affairs of a public company (like overseeing its financial reporting function and obligations), ‘cybersecurity’ is new for many directors, and is certainly far from intuitive.” In recognition that cybersecurity issues may be new and unfamiliar topics for many corporate directors and officers, the book lays out in clear, understandable text the technical issues, the regulatory concerns, and the legal issues. Throughout, the book seeks to reduce the topics to understandable, practical checklists that can be used to address the issues presented.
One particular checklist at the outset of the book will be particularly helpful to corporate officials attempting to confront cybersecurity issues. The checklist identifies the top ten questions corporate boards should be asking in order to understand their company’s cybersecurity posture. The list includes how to go about identifying the company’s information assets and understanding how they are housed and security. The list also identifies the various preparedness plans the company should have in place, such as Cyber Incident Response Plans and Cyber Business Continuity Plans. The list also includes the importance of cybersecurity insurance as an important part of the organization’s efforts to manage its cybersecurity risks.
A particular area of focus in the book is the potential liabilities that corporate directors and officers may face as a result of cybersecurity issues. Ferrillo writes that in today’s world cybersecurity should be a “part of any organization’s enterprise risk management function, and thus, by inference, part of any director’s duty of oversight.” After reviewing the current D&O litigation landscape relating to cybersecurity issues, Ferrillo concludes that “cybersecurity breaches have the potential to not only create regulatory risk for the Company involved” but also includes “the risk that directors and officers of the Company may be sued for breach of fiduciary duty for their alleged failure to oversee the risks of the company.” Ferrillo helpfully lays out the steps boards can take to ensure that if their organization’s cybersecurity issues should attract the unwanted attention of plaintiffs’ lawyers that the board can present “a factual record and documentation of board action and involvement” that is the key to getting cases dismissed.
The book’s chapter on cyber insurance is particularly instructive. As Ferrillo notes, “no company in the U.S. should forego buying cyber insurance to protect against the real, ever-present risk of a major cyber attack.” It is best, Ferrillo notes, for corporate boards to “explore how cyber insurance can help manage cyber risk exposures rather than leave the cybersecurity gap unfunded when security fails.” It is particularly important to note that the types of coverage offered by cyber insurance policies “vary dramatically by insurance carrier,” so it is critical to enlist the assistance of “a knowledgeable insurance broker who has experience with cyber insurance policies.”
Ferrillo’s book is not only readable and useful, it is available on the Internet, for free. The book is a great resource for corporate boards and for those who must advise them.