Determination of responsibility in the case of a cyber breach is a key question; yet, several other questions are critical to framing discussions around cyber liability. Among them:
• Who should be tasked with monitoring businesses in their cyber defense efforts? Should it be in the hands of regulators, or will civil lawsuits by affected customers and investors be sufficient to curb negligent behavior?
• When should a company be considered negligent in its processes—or lack thereof—of securing sensitive information, and what constitutes “reasonable efforts” to address vulnerabilities in networks and software, such as web applications, databases, libraries, and frameworks?
• Is cyber insurance sufficient on its own to preserve value at the corporate level?
While these questions most often sit at the IT level, it is interesting to note that the extent of the brand damage caused by breaches is often linked to boards’ level of preparedness. It is therefore a board’s fiduciary duty to ask the right questions to ensure due care has been followed.
As a result, NYSE Governance Services, in partnership with Veracode, surveyed 276 directors and officers across publicly traded companies to draw parallels between businesses’s cyber risk management practices and their efforts to address cybersecurity liability matters. Our goal was to provide further benchmarking practices to serve the interests of public companies’ boards of directors and their shareholders.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program