What Should Boards Think About After a Breach?

Thanks in no small part to the potential impact of data breaches on organizations’ bottom lines, cybersecurity has become a top-of-mind concern for boards of directors. Equifax’s September 2017 data breach is a stark example of how a breach can negatively—and significantly—impact an organization’s bottom line. To date, the company has reportedly spent over $1.4 billion investigating the breach and overhauling its information security systems because of it. The company may also be on the hook for an additional $800 million as a result of its settlement of the litigation and government actions filed against it in the wake of the breach.

We’ve previously covered what boards can do before a data breach to prepare themselves and their organizations for such an event. But what about when the inevitable happens and an organization—your organization—suffers a data breach? What’s a board—your board—to do?

It’s all about systems and processes

In the wake of a data breach, your board of directors should focus on the same things it would normally focus on following any crisis affecting your organization.

As the people responsible for the oversight of your organization’s strategic direction and overall performance, your board should be primarily concerned with making sure that any problems exposed by the breach are: (i) recognized, (ii) understood, and (iii) remediated to the extent possible.

To fulfill its oversight responsibilities, your board must receive regular updates regarding the systems and processes that your organization uses to safeguard its information and networks to understand whether these systems and processes helped your organization respond to the breach and limit its impact—or whether they played a role in causing the breach.

Your board should also consider the people-side of the equation. Do you have the right people and processes in place to respond to a cyber event? Even if your personnel made mistakes, was there a process in place to identify the relevant risks, escalate concerns, and make decisions in a timely way?

For example, let’s say that one of your organization’s older databases was compromised. Your internal investigation determines that the database was not patched with security updates as often as it should have been because it was a legacy system that was scheduled to be decommissioned. Patching this particular program was not a priority before the incident because your IT team was focused on the systems that the company actually uses.

After promptly being presented with the findings of this investigation, your board should focus on your organization’s processes for patching databases. Your board should not conduct its review with the goal of placing blame. Instead, it should focus on: (i) understanding what happened, (ii) getting regular reports on whether the people involved should have behaved differently, (iii) determining whether the proper processes were in place and whether they were used to identify, contain, and remediate the issue, and (iv) receiving updates about how the lessons learned from the incident are built into new, or newly revised, systems and processes within the organization. The board’s consideration and deliberation about the organization’s new systems and processes should be documented through written records.

In light of Marchand v. Barnhill (June 18, 2019), directors have risk oversight responsibilities and can incur liability for failing to “make a good faith effort to implement an oversight system and then monitor it.” A recent $225 million settlement between the Boeing Company (“Boeing”) and its shareholders regarding Boeing’s board’s failure to provide effective safety risk oversight underscores this point.

On September 7, 2021, the Delaware Chancery Court approved a settlement between Boeing and the company’s shareholders to resolve a derivative lawsuit regarding Boeing’s board’s oversight of the safety of the 737 MAX—a plane that contained design flaws, which led to two deadly crashes. When the 737 MAX was being developed, Boeing did not have a board committee responsible for monitoring airplane safety, which was a “mission critical” area of risk for Boeing, an aircraft manufacturing company. Post-Marchand and -Boeing, directors should be aware that oversight and monitoring of mission critical risks are considered fundamental parts of a director’s responsibilities—and a failure to provide this oversight can lead to legal liability. Given the current shifts to remote work and embrace of cloud-based operations, as well as our current digital economy, cyber risk is a mission critical risk for most organizations.

Continuing oversight may be needed

The severity or impact of a particular data security incident will dictate the role your board plays in overseeing changes to your organization’s systems and processes.

Some data breaches are the result of a one-time mistake or the efforts of a particularly sophisticated bad actor. When a breach of this type occurs, your management and board may determine, after due deliberation which is well documented, that your organization’s systems or processes did not significantly contribute to the breach. In that event, additional oversight (beyond your board’s typical oversight responsibilities) may not be necessary to ensure that the lessons learned from this kind of breach are implemented by your organization.

However, if a particular data breach exposes shortcomings in your organization’s systems and processes, your board should consider delegating the task of overseeing the changes required to fix these shortcomings to one of its committees.

There is a trend of delegating cyber issues to a committee, such as the risk or the technology committee, which may have more experience in cyber issues and might be able to provide more specialized guidance and oversight than the board at large.

A serious data breach, however, may require the creation of a separate cybersecurity risk committee to oversee any new systems and processes developed after the incident. Serious data breaches may also lead to personnel changes, as agreed upon by your management and board, to reduce the future risk of similar breaches.

Further, the currently proposed rules from the Securities and Exchange Commission (SEC), will require that boards maintain continuous oversight of and visibility into any material cyber security incidents. Under the proposed SEC rules, public companies will be required to disclose on a Form 8-K any material cyber security incident within four business days of determining whether the incident was material and will have an ongoing requirement to provide any material changes or updates to previously disclosed information about any prior cyber incident. If the proposed SEC rules are adopted, boards will need to ensure that they are promptly notified of the scope and severity of any breach so that they can act quickly in determining whether any disclosure will be required. On a related note, there is a brewing debate over whether boards should have at least one director on them who has significant professional cybersecurity experience. As more organizations add board members with this experience, standing cybersecurity risk committees may become commonplace. Also, pending federal legislation and proposed rules from the SEC on this topic suggest that, in the near future, public companies may have a legal or regulatory obligation to disclose their oversight of cybersecurity as well as the cybersecurity experience or expertise that their board members have. Under the proposed SEC rules, cybersecurity expertise of board members is defined as prior work in cybersecurity, certification or a degree in cybersecurity, and/or knowledge, skills, or other background related to cybersecurity.

Not letting a good crisis go to waste

If—or, more realistically, when—your organization suffers a significant data breach or other cyber incident, your organization’s board of directors will have an important role to play.

Its focus should be on understanding:

• what happened,
• the risks associated with a cybersecurity event,
• the materiality of the breach to the company’s operations,
• the plan to mitigate any relevant risks,
• the cadence of regular updates that the board should receive to be well informed, and
• management’s plan to fix any deficiencies.