Cyber Risks: New Focus for Directors (including SEC Disclosure Guidance)
Cyber risks have become a major potential loss exposure for most corporations. Although nonexistent just a few years ago, most companies today are vulnerable to a growing list of threats relating to technology misuse. Not surprisingly, as businesses have become more reliant on technology, the resulting risks have become far more complex and potentially harmful.
Threats from hackers, thieves, third-party contractors, competitors and employees, as well as inadvertent misuse or loss of data, present potentially catastrophic financial and reputational risks to companies today. Even the most vigilant company can be a victim of a data breach or other cyber loss. Class action lawsuits, huge forensic and mitigation costs, notification and credit monitoring services and data restoration efforts can result in tens or even hundreds of millions of dollars of loss to a company. State attorneys general, federal and state regulators and plaintiff lawyers are all likely and formidable adversaries to the company if something goes wrong. In addition, the company’s computer systems may need to be shut down and business operations may be interrupted.
Like any other major risk exposure, directors should monitor the company’s cyber risks and confirm that reasonable steps are being taken to identify, prevent, mitigate and respond to cyber-related problems when they arise. Because these risks can damage not only the company but its customers, suppliers, other constituents and even the public, extra caution is necessary. Plus, new federal and state statutes and regulations are being adopted with increasing frequency which mandate appropriate company risk management practices in this area.