Board Oversight of Cyber Risk Simplified
When Cybersecurity Executives and Corporate Board Members Fail to Appreciate Risk, they Breach Their Fiduciary Duties
The maxim, "awareness of an adverse condition creates a duty to act," is the most succinct characterization of the fiduciary mandates of corporate executives and board members that I can think of. Unfortunately, many senior cyber executives and board members whose companies are under relentless attack from threat actors, many of whom are malicious insiders, do not appreciate the gravity of the threats despite their deep knowledge and experience in business affairs.
Take, for example, an organization that for years had a data loss prevention program that, for all intents and purposes, was a sieve through which intellectual property exfiltration occurred due to an internal misalignment of competencies and the use of unvetted technologies. What about organizations whose critical business processes are riddled with hidden open-source code library vulnerabilities that leave critical business processes open to threat actor exploitation? In scenarios such as these, there is little doubt that if the leaders of those functions were informed of known deficiencies and resulting risks or capabilities that inform them of unknown risks yet failed to take action, they could be deemed culpable of misfeasance.
The potential breach of fiduciary responsibility doesn't end there, though; the ripple effect of this scenario extends into the board room and can completely blindside board members who fail to ask the right questions or who were intentionally kept in the dark.
The intent of this brief paper is to provide corporate board members with the knowledge that they can have bespoke corporate cyber risk intelligence at their fingertips that can help them better understand the nature of risks their organizations face and the capability gaps that can lead to unmitigated disaster for their organizations and their reputations. While it is true that many organizations provide regular updates from expert, independent 3rd party auditing/advisory and consulting firms, the truth is that many of these firms are not as independent or necessarily as competent as they should be. The unfortunate fact is that longstanding relationships between executives and the firms they hire are often incestuous and lead to curated findings that minimize the fact that security controls in the firms they audit are insufficient or vulnerabilities exist of a nature that necessitates immediate remedial action. All too often, it's only after a major breach, compliance failure, or whistleblower action that the right questions are asked. Unfortunately, by then, reputations will be tarnished as shareholder suits and regulatory inquiries lay bare damning facts.
Lack of Line of Sight to Challenges
Board members of large corporate organizations with complex infrastructure and subject to intense regulatory scrutiny are increasingly nervous, and rightfully so, as they ask themselves, "Do I have sufficient understanding of and visibility into the inner workings of the organizations on whose boards I sit"? If you're one of those board members with similar questions, dozens of studies, including the selected ones below, show you're not alone:
The 2022 Governance Outlook survey conducted by the National Association of Corporate Directors (NACD) found that many board members feel they lack the necessary insight into cybersecurity risks and the digital infrastructure of the companies they oversee; nearly 60% of directors surveyed identified a gap in their board’s understanding of cyber risks and more than half of the respondents expressed concerns about the quality of cybersecurity information they receive from management.
The 2023 PwC Annual Corporate Directors Survey found that a significant number of directors are rethinking their ability to adequately oversee digital and cybersecurity risks and 40% of directors admitted they don’t feel fully confident in their company’s cyber preparedness and 59% feel they lack the requisite visibility or expertise to effectively assess internal controls and governance practices.
The 2022 Cybersecurity Imperative Study by ESI ThoughtLab found that over 50% of corporate board members believed they were not sufficiently equipped to oversee cybersecurity strategy and governance effectively because they are hindered by a lack of understanding of the company’s technological capabilities and vulnerabilities. At the same time, 69% of respondents acknowledged the need for greater board involvement in cybersecurity decision-making. The study also reported that directors rely too heavily on internal management, whose self-interests and biases could leave gaps in understanding critical operational risks.
Not All Experts are Equal
Many of the board members who participated in the surveys above are patently aware that hiring top-tier audit/advisory firms is not a silver bullet. Those who were on the boards of the selected companies below found out the hard way as the 3rd parties they brought in did not fully appreciate or provide the proper guidance:
Wirecard - their auditor's practices, reporting on cybersecurity risks, and their failures to properly scrutinize IT infrastructure were questioned in the wake of massive fraud by insiders leading to the collapse of the company.
Colonial Pipeline - a key cog in the American energy critical infrastructure sector, their auditor and advisory firm was criticized for significantly underestimating ransomware risks and under-disclosing cybersecurity vulnerabilities to the board.
Marriott Data Breach - the Starwood hotel chain, which Marriott had acquired, involved an undetected vulnerability that had persisted for years, which we at Wealthyer consider to be an M&A due diligence failure to detect dormant cyber liability. In this scenario, their auditor/advisory firm faced questions over its audit of Marriott’s cybersecurity risk management practices, particularly its failure to identify weaknesses in the acquired Starwood IT systems.
Director Fiduciary Duties
All corporate directors and officers are aware of their fiduciary duties toward the corporation and its shareholders, primarily the duties of care, loyalty, and good faith. The maxim “awareness creates the duty to act” ties into these fiduciary duties, especially the duty of care, which obligates directors and officers to make informed and prudent decisions to protect the company’s interests.
Duty of Care: When directors or officers become aware of a risk or issue (e.g., financial mismanagement, legal compliance problems, cybersecurity vulnerabilities), they are expected to take reasonable steps to address or mitigate the threat. This includes consulting with experts, holding internal investigations, or implementing policy changes.
Duty of Loyalty: The duty of loyalty requires directors and officers to prioritize the interests of the corporation and its shareholders above personal interests. Failing to act after becoming aware of a condition that harms the company (weak security controls, having insufficient visibility into enterprise and supply chain resilience) could breach this duty if it benefits them personally or if their inaction harms the company.
Duty of Good Faith: Directors and officers are also required to act in good faith in fulfilling their fiduciary responsibilities. A failure to act after gaining awareness of a critical issue could demonstrate bad faith, particularly if there is evidence that they intentionally ignored the issue or covered it up.
The Distinctions Between Cyber Misfeasance and Malfeasance
Failure to Act as Misfeasance or Malfeasance
When directors or officers fail to act after becoming aware of an issue, their inaction can fall into two legal categories: misfeasance or malfeasance.
Misfeasance: This refers to the improper performance of a lawful act in relation to one's role or remit (job description). For directors and officers, this might involve a failure to act in a manner consistent with their fiduciary duties once they are aware of a cyber or privacy issue that could have an adverse impact on the organization. Misfeasance often arises in most cases from negligence or inaction with respect to a condition that one knew about or should have known about. For example, if a director knows about significant cybersecurity vulnerabilities and fails to take appropriate steps to remedy them, and a data breach occurs, that failure could be considered misfeasance. In this case, the director did not necessarily act with ill intent, but their failure to act properly (an omission) caused harm.
Malfeasance: This is more severe and refers to the intentional commission of a wrongful or unlawful act. If a director or officer is aware of a harmful condition but intentionally ignores it or actively conceals it, this could be considered malfeasance. Malfeasance implies a knowing and deliberate wrongdoing, which could expose directors and officers to legal liabilities, including lawsuits or regulatory penalties. For example, if a director intentionally disregards a whistleblower’s report of financial fraud within the company, which leads to regulatory violations, that could be malfeasance.
Legal and Regulatory Consequences
Failures to act on known risks or issues can lead to significant legal and regulatory consequences, such as:
Shareholder Derivative Lawsuits: Shareholders may sue directors and officers for failing to fulfill their fiduciary duties if their inaction caused harm to the company. These lawsuits often arise when directors or officers fail to mitigate known risks, such as poor cybersecurity practices or environmental violations.
Regulatory Penalties: Regulatory bodies such as the Securities and Exchange Commission (SEC) or industry-specific regulators may impose fines or sanctions if they find that directors or officers failed to address known compliance issues. For instance, failing to act on a known cybersecurity risk could result in regulatory action, especially if it leads to data breaches or violations of privacy laws like the GDPR or CCPA.
Criminal Liability: In extreme cases, malfeasance by directors or officers could lead to criminal charges, especially if their failure to act on known issues involves fraud, embezzlement, or other illegal activities. These cases are less common but are possible when intentional wrongdoing is involved.
NOTE: In the EU, directors and officers face greater exposure to criminal liability for malfeasance, particularly in cases involving where their actions facilitate gross breaches of public trust or financial misconduct
Key Considerations for Directors and Officers
To avoid the specter of misfeasance or malfeasance, directors and officers should:
Proactively Monitor Risks: Directors and officers should have a robust risk management framework in place, ensuring they remain aware of key operational, financial, legal, and cybersecurity risks.
Document Actions: It’s critical to document any decisions made in response to awareness of issues or risks, including consultation with legal or technical experts. This documentation can demonstrate that the directors acted in good faith and fulfilled their duty of care.
Consult Experts: When directors and officers become aware of issues outside their expertise, such as complex legal or technical issues, they should consult external advisors to ensure that the appropriate course of action is taken.
Take Timely Action: Timeliness is critical. Delaying action once an issue is known can exacerbate the potential damage and lead to greater legal and regulatory exposure.
Conclusion
The maxim “awareness creates the duty to act” underscores the responsibility of directors and officers to proactively address risks and issues that arise within a corporation. Failing to act once aware of a situation can lead to accusations of misfeasance or malfeasance, which carry significant legal, financial, and reputational risks. By adhering to their fiduciary duties and taking prompt, well-documented actions, directors and officers can mitigate these risks and safeguard the interests of the corporation and its stakeholders.
At Wealthyer, we will simplify the information into empirically verifiable, easily understandable data points you need as a directory to mitigate your organization's risk and preserve your good reputation in an increasingly dynamic regulatory and threat landscape.
Limited Offer: To obtain your organization's board-level cyber risk intelligence report. Take the Next Step:
🔍 Contact me in confidence (under NDA) to obtain your complimentary Wealthyer Board Intelligence specific to your industry or company. The report offers exclusive, tailored insights perfectly aligned with your organization’s specific cyber risk profile, regulatory compliance needs, and supply chain assurance requirements. ,
Let’s connect for a brief, impactful discussion on how Wealthyer Resilience360 can be the cornerstone of your cybersecurity strategy, empowering you to protect shareholder value, fortify your supply chain, and safeguard your business against future threats.
📞 Let’s Talk: Let’s schedule a brief call to discuss how Wealthyer Resilience360 can be the cornerstone of your cybersecurity strategy, helping you protect shareholder value.
Contact us at: Email: [email protected] | Phone: +1646 306 3833
