Cyber risk: The risks to boards of directors and board member obligations

The following is part of a series providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.

This blog summarizes Chapter 8: The risks to boards of directors and board member obligations, by Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner; Aravind Swaminathan, Partner; and Daniel Dunne, Partner. Please refer to the original article for any direct quotations.


The increase in cyber attacks has forced cybersecurity to climb the agenda in board meetings, making it a top priority in the majority of NYSE-listed organizations.

A recent survey found that cybersecurity is discussed at 80% of all board meetings. In the same survey, however, it was revealed that only 34% of boards are confident about their respective companies’ ability to defend themselves against a cyber attack. To make matters worse, a separate survey found that only 11% of respondents believed their boards possessed a high level of understanding of the risks associated with cybersecurity.

Boards are talking about cybersecurity, but the findings suggest that they’re not quite sure what it is they’re talking about – and that’s a problem.

“…at their own peril”

Luis A. Aguilar, commissioner of the Securities and Exchange Commission (SEC), recently said, “Boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”

Directors face increasing litigation risk in connection with their responsibilities for cybersecurity oversight, particularly in the form of shareholder derivative litigation, where shareholders sue for breaches of directors’ fiduciary duties to the corporation.

In the past five years, shareholder derivative litigation has been initiated against the directors of four organizations that suffered data breaches: Target, Wyndham Worldwide, TJX Companies, and Heartland Payment Systems.

These recent cases have included allegations that directors:

  • failed to implement and monitor an effective cybersecurity program;
  • failed to protect company assets and business by recklessly disregarding cyber attack risks and ignoring red flags;
  • failed to implement and maintain internal controls to protect customers’ or employees’ personal or financial information;
  • failed to take reasonable steps to notify individuals in a timely fashion that the company’s information security system had been breached;
  • caused or allowed the company to disseminate materially false and misleading statements to shareholders (in some instances, in company filings).

Challenging re-election

Another risk that board of directors face is activist shareholders challenging re-elections of directors when it’s perceived that they didn’t do enough to prevent a cyber attack. After the Target CEO was dismissed following the data breach in 2014, a leading proxy advisory firm urged Target shareholders to oust seven of Target’s ten directors for “not doing enough to ensure Target’s systems were fortified against security threats” and for “failure to provide sufficient risk oversight” over cybersecurity.

Directors can protect themselves by taking action

Directors can best protect themselves from shareholder derivative claims by diligently overseeing the organization’s cybersecurity efforts. To strengthen their involvement, board members should receive periodic briefings on cybersecurity risk and have access to cyber experts whose expertise and experience board members can rely on in making decisions about what to do (or not to do) to address cybersecurity risks.


ISO 27001, the international best practice for an information security management system (ISMS), is the perfect solution to organizations’ cybersecurity woes.

By implementing an ISO 27001-registered ISMS, boards of directors can ensure that the entire organization is helping keep the organization safe from cyber attacks and data breaches. It also enables directors to stay involved in the organization’s cybersecurity program and to involve themselves in a higher level of engagement with the risks associated with cyber crime.