A new study released by NYSE Governance Services and security firm Veracode, “Cybersecurity and Corporate Liability: The Board’s View,” is a must read for directors and officers. Veracode was quite accommodating when I asked for a copy.
The report is based upon a survey of 276 directors and officers of publicly traded companies, “to draw parallels between businesses’ cyber risk management practices and their efforts to address cybersecurity liability matters.”
The results are sometimes surprising—such as, “89% of surveyed directors and officers believe that a company that does not make reasonable efforts to secure its data should be held liable by regulators.” So they believe that they should be held accountable, but what are considered “reasonable efforts?” The points made in the report about what is reasonable are spot on. And who determines what is “reasonable?”
It is also interesting to note the impact the Wyndham Worldwide shareholders derivative suit had on the directors and officers surveyed and the final conclusion that there will be an increase in shareholders’ lawsuits against officers and directors for cybersecurity liability. Based upon how the litigation environment has changed over the past two years, this conclusion is one to take into the board room. If you are board member, check out the survey report—it is well worth the time.