FEATURE
 other equally important corporate goals. While some of the lawsuits and regula- tory enforcement actions outlined above have indicated that directors and officers need only take several basic steps to sat- isfy their fiduciary duties, the Marchand and Clovis decisions indicate that the tide may be shifting, albeit marginally, in fa- vor of the plaintiffs’ bar.
While some have suggested the need for more prescriptive corporate-gover- nance approaches to cybersecurity issues, including requiring board expertise in the area similar to the audit expertise the Sarbanes-Oxley Act of 2002 requires, these suggestions have gained limited traction.144 The evolution of specific cy- bersecurity requirements and legal stan- dards may become a reality moving for- ward, but they would likely be extremely burdensome given the rapidity of tech- nological change and threat evolution. In the meantime, recent court decisions and regulatory actions provide many les- sons to inform corporate cybersecurity program development and oversight.145 Utilizing the NACD’s guiding principles and implementing some, or all, of the simple solutions outlined below, can help directors and officers better ensure that they avoid legal liability and may also help protect companies’ information as- sets and bottom lines.
A. NACD Guiding Principles
The NACD is the recognized au- thority on leading boardroom practices and has set the standards for responsible board leadership practices for roughly 40 years.146 On January 12, 2017, the NACD, and the Internet Security Al- liance, released the 2017 edition of the NACD Director’s Handbook on Cyber- R isk Oversight. In relevant part, the handbook outlines “five principles for effective cyber-risk oversight.”147 These principles provide “all directors, includ- ing members of private-company and nonprofit boards,” with a basic frame- work for protecting the “valuable data and related assets that are under constant threat from cyber-criminals or other ad- versaries.”148
1. NACD Cybersecurity Principle 1
First, the NACD recommends that boards should “understand and ap-
proach cybersecurity as an enterprise- wide risk management issue, not just an IT issue.”149 Many high-profile attacks have resulted from cyber risks outside the scope of traditional hacking, includ- ing the exploitation of vulnerabilities within the company’s corporate net- work of vendors and suppliers. Effective oversight benefits from recognition by boards that there are “varying levels of risk” for their enterprises and that it is helpful to “consider not only the high- est-probability attacks and defenses, but also low-probability, high-impact attacks that would be catastrophic.”150 While the NACD Blue Ribbon Commission on Risk Governance recommends that risk oversight be a function of the full board, NACD research suggests half of the boards assign this task to the audit committee.151 The NACD acknowledges that there is no single approach but that “[t]he nominating and governance com- mittee should ensure the board’s chosen approach is clearly defined in committee charters to avoid confusion or duplica- tion of effort.”152
2. NACD Cybersecurity Principle 2
Second, NACD recommends that “[d]irectors should understand the legal implications of cyber risks as they relate to their company’s specific circumstanc- es.”153 To protect themselves against liti- gation, board members should consider “maintaining records of boardroom dis- cussions about cybersecurity and cyber risks, staying informed about industry-, region-, or sector-specific requirements that apply to the organization, and de- termining what to disclose in the wake of a cyberattack.”154 It also suggests that cyber breach simulations, commonly re- ferred to as table tops, can help compa- nies and boards better prepare for more effective incident responses.
3. NACD Cybersecurity Principle 3155 Third, NACD suggests “[b]oards should have adequate access to cyberse- curity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.”156 An NACD survey of public-company directors found that “89.1 percent of respondents reported that their boards discuss cybersecurity
‘on a regular basis.’”157 However, the board’s responsibilities have grown as the cyber threat has grown. While some companies may want to consider adding “cybersecurity and/or IT security ex- pertise directly to the board via the re- cruitment of new directors,” there is no “one-size-fits-all” approach for improv- ing a company’s access to cybersecurity expertise.158 Moreover, the NACD rec- ommends “enhancing management’s re- ports to the board.”159
4. NACD Cybersecurity Principle 4
Fourth, NACD advises that “[d]irec- tors should set the expectation that man- agement will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.”160 Rather than utilizing siloed reporting structures and decision-making processes, board members have a unique opportunity to help ensure that management views cy- bersecurity risk through an enterprise- wide lens. Specifically, the NACD ref- erences the 2014 National Institute of Standards and Technology Cybersecurity Framework and suggests that “[d]irectors should set the expectation that manage- ment has considered the [framework] in developing the company’s cyber-risk de- fense and response plans.”161 This enter- prise-wide lens, when utilized properly, may also aid the board in defending the corporation’s choices and oversight of those decisions.
5. NACD Cybersecurity Principle 5
Finally, “[b]oard-management dis- cussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each ap- proach.”162 The NACD acknowledges that “[t]otal cybersecurity is an unrealis- tic goal” and “security is not the equiva- lent of compliance.” 163 Therefore, in a similar manner to other risk areas, the chosen strategy for cybersecurity should align more broadly with the company’s general risk tolerances and, increasingly, specific cybersecurity risk tolerance. Bad situations will happen, but planning and preparation both to avoid incidents and to manage responses effectively using risk-based approaches can help inocu-
24 DELAWARE LAWYER SPRING 2020