In "Board Oversight of Cybersecurity Risks," Sidley Austin's Holly Gregory advises boards to consider: (i) general risk oversight principles, (ii) the NIST cybersecurity framework, and (iii) emerging best practices in determining their cybersecurity approach, which may evolve over time. The timely new memo breaks down each of these three broad areas into tangible takeaways, and includes references to other resources, e.g., CII's "Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards" (reported on in Cybersecurity here) that may facilitate management's and the board's further diligence and dialogue.
This excerpt from the memo's discussion on generally applicable risk oversight principles is noteworthy for its recap of the basics, which may tend to get lost in the cyber shuffle:
The technical nature of cybersecurity issues may raise concern among directors about whether the board has an appropriate understanding and is providing sufficient oversight. The board need not have a detailed technological understanding of these issues, but the board should be well advised and have access to technological expertise in the management team and advisors.
As in other areas, directors are entitled to rely on management and outside experts on these issues. Ultimately, the business judgment rule presumption should apply to the decisions that directors make regarding oversight of cybersecurity issues, as long as they satisfy the core standards of care, loyalty, and good faith, which apply to board decisions generally.
Directors should apply the same common sense approach to cybersecurity risks that they apply to other business risks. A common sense risk oversight approach should avoid focusing unduly on technical issues. It should instead address issues related to policies and processes, including efforts to educate employees and ensure compliance, and the appropriate deployment of corporate resources.
More broadly, emerging best practices in this dynamic area take into account company-specific facts and circumstances that should inform the board's cybersecurity oversight agenda, and which may result in vastly different oversight practices across companies.