Cyber risk management is an increasingly important challenge for organizations of all kinds and sizes. Corporate directors have a legal responsibility to ensure that their corporations have appropriate cyber risk management policies and practices and are prepared to respond effectively to cyber incidents. Corporate directors can obtain helpful guidance from regulators, industry associations and other organizations.
Cyber risks appear to be increasing in frequency, intensity and harmful consequences as a result of various circumstances, including increasing sophistication and complexity of cyber-attacks, increasing use of information technology (e.g. increased access points and use of third-party services and infrastructure) and data (e.g. customer personal information, payment information and Big Data), increasing regulation (e.g. regulated personal/financial information and security breach reporting obligations) and increasing legal liability (e.g. privacy breach liability). Commentators have said that there are only two kinds of organizations — those that have been hacked and know it, and those that have been hacked and don't know it yet.
A corporate director's responsibility for cyber risk management derives from the well-established, generally applicable director's duty of care, which requires a director to exercise the care, skill and diligence that a reasonably prudent person would exercise in comparable circumstances. The duty of care requires a director to proactively supervise management and make informed, properly advised decisions. It is generally accepted that a director's duty of care requires the director to oversee management's activities regarding risk identification and risk management generally, and with particular attention to internal controls and management information systems.... Directors are expected to ensure that management has taken reasonable steps to identify and manage risks through an appropriate risk management program, and directors should have direct oversight regarding significant risks affecting the corporation (which the directors should monitor and discuss regularly with senior management).