By the Nasdaq Center for Board Excellence 'Risk & Cyber Oversight' Insights Council: Rajesh De, Chris Hetner, Steve Roycroft, and Dominique Shelton Leipzig
Today's headlines make clear that privacy and cybersecurity have moved beyond IT and legal compliance issues and are now environmental, social, and governance (ESG) benchmarks vitally affecting market caps and shareholder values.
To understand the scope of the issue, it is important to clarify the terminology. At a high level, data privacy concerns the personal information companies collect, use and share, and how they communicate about their practices. Cybersecurity, on the other hand, concerns what companies do to protect personal and business critical data and maintain resilience. Privacy and cybersecurity were largely unregulated until 2018, when the European Union (EU) General Data Protection Regulation went into effect. Presently, there are over 150 countries with data protection laws.
Privacy and cybersecurity are majorly impacting areas beyond the legal landscape. Privacy issues triggered a $1.4 trillion dollar loss in market cap for publicly listed companies in Q1 and Q2 of 2022. In 2021, cybercrimes cost our global economy 6 trillion dollars, and this figure is expected to increase to 10.5 trillion dollars by 2025. If privacy and cybersecurity were a country, they would be the third largest GDP behind the U.S. (GDP of $20.89 trillion) and China (GDP $14.72 trillion). Recently, the U.S. Department of Justice indicated that it will be pursuing a new policy seeking C-level sign-off on corporate compliance programs and signaled that it will be expecting CEOs to vouch for corporate compliance programs. In addition, the recent criminal conviction of a Chief Information Security Officer (CISO) for a data breach has resulted in some commentators calling for boards to be held accountable rather than CISOs.
The investor community is watching to see what boards do. Proxy advisors, such as Institutional Shareholder Services (ISS), have been quietly rating companies on their cyber and privacy practices via the governance prong of ESG scoring. Top global investors recently ranked cybersecurity as their second highest ESG concern, and Bloomberg reported in 2021 that its review of SEC filings from the past five years "shows a burgeoning pattern of companies explicitly categorizing their compliance with data privacy regulations and voluntary standards as an environmental, social, and governance (ESG) matter."
Frameworks for ESG reporting are providing guidance for privacy and cyber reporting. The Global Reporting Initiative (GRI), a trusted resource for ESG reporting by many companies, has issued a specific "Customer Privacy Standard," stating that breaches of customer privacy should be reported as part of enterprise risk management.
Additionally, investors are proactively engaging on board oversight of cybersecurity and privacy. One multinational investor, managing $10 trillion in assets, has reported interactions with companies to heighten board engagement. For example, it reported, "In an engagement with a pharmaceutical company we discussed the board's oversight of cybersecurity risk and management's focus on early detection rather than what it viewed as the unattainable goal of total prevention."
On April 8, 2021, the FTC called for boards to "build a team of stakeholders" who can "...bring a different perspective to the issues." In addition to the chief information officer (CIO) and the CISO, the team that reports to the board should include nontechnical leaders such as the CEO, CFO and general counsel, according to the FTC.
The FTC also encouraged boards to review their committee structure to ensure that board cybersecurity oversight occurs either at the audit committee level or via a standalone committee devoted to cybersecurity. In this regard, the FTC observed that, "Irrespective of how an organization structures its cyber risk oversight duties, the key takeaway is that cyber risks should be a priority within the board room. Board-level oversight helps to ensure that cybersecurity threats, defenses and responses have the attention of those at upper echelons and get the resources needed to do the job right."
The FTC also encouraged boards to receive regular cyber briefings, "When it comes to security, board members need to be in the know, but research suggests many of them are out of the loop."
On February 9, 2022, the SEC issued its proposed rule that calls for investment advisors and registered investment companies to adopt written cybersecurity policies and to prepare written reports to be overseen by the board. "Proposed rule 38a-2 would require a fund's board of directors, including a majority of its independent directors, initially to approve the fund's cybersecurity policies and procedures, as well as to review the written report on cybersecurity incidents and material changes to the fund's cybersecurity policies and procedures that...would be required to be prepared at least annually."
According to the SEC, "Board oversight should not be a passive activity," and called for boards to receive and read written reports. The SEC observed that, "The required written reports... would provide fund directors with information necessary to ask questions and seek relevant information regarding the effectiveness of the program and its implementation, and whether the fund has adequate resources with respect to cybersecurity matters, including access to cybersecurity expertise."
In March of 2022, the SEC proposed another rule describing its intention to require disclosure from public companies regarding whether their boards have members with cybersecurity experience. The SEC explained the rationale for this proposed new disclosure requirement saying, "Cybersecurity is already among the top priorities of many boards of directors, and cybersecurity incidents and other risks are considered one of the largest threats to companies. Accordingly, investors may find disclosure of whether any board members have cybersecurity expertise to be important as they consider their investment in the registrant as well as their votes on the election of directors of the registrant."
On July 29, 2022, the New York State Department of Financial Services proposed amendments to its regulations, which imposed obligations on banks and insurance boards. If finalized, the proposed rule would require board approval of cybersecurity policies that cover (at a minimum): "(a) information security; (b) data governance and classification; and customer privacy."
The litigation landscape in the U.S. against public companies is transforming. In an article titled Personal Liability for Directors Who Disregard Cybersecurity, one writer observed that, "In recent months, a trend has begun to emerge among plaintiffs' lawyers seeking to file cybersecurity incident-related shareholder derivative lawsuits—attorneys are increasingly now filing claims specifically based on failures surrounding duty of oversight." A review of court dockets reveals more than 73 shareholder derivative actions filed against public companies in the U.S. pertaining to alleged data breaches or privacy violations.
On the international front, boards are increasingly the focus of global cybersecurity and privacy guidance. For example, The United Kingdom's National Cyber Security Centre (NCSC) has a Cyber Security Toolkit for Boards that contains "resources designed to encourage essential cyber security discussions between the Board and their technical experts." The EU's Draft Digital Operational Resilience Act has been approved by the European Council and European Parliament and is now cleared for trialogue negotiation. If passed, it would set forth obligations for "managing bodies'' of financial institutions, including a requirement that "members of the management body shall, on a regular basis, follow specific training to gain and keep up to date sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity."
Denmark's Centre for Cyber Security (CFCS) published a December 2019 cybersecurity guidance for boards of directors, highlighting that while management must take the lead in prioritizing cybersecurity, boards have duties of oversight pertaining to risk assessment, vulnerabilities, plans, processes and preparedness, as well as culture and people. The Australian Securities & Investment Commission recently published key questions for an organization's board of directors.
The Mauritius Financial Services Commission issued a circular letter to boards of directors of financial services companies reminding them of their duty of oversight over management's mitigation of cyber risks.
The attention on privacy and cybersecurity is only likely to expand given the vast amount of data that is being generated globally per day. Every second, 127 new connected devices are coming online, making for 11 million new connected devices being added daily. In 2022, it is estimated that the world will produce and consume 94 zettabytes of data. To put this number in perspective, one zettabyte has 21 zeros behind it.
In summary, the cybersecurity and privacy landscape has increased the levels of accountability across the enterprise risk management and boardroom communities. It is important to have heightened engagement to ensure the application of investments are aligned with material threats impacting organizations.
This is the first blog post of a two-part series that shares tactics for boards to address cyber issues.
Originally Published by Nasdaq
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.