Elise Elam, Digital Risk Advisory and Cybersecurity Partner, BakerHostetler
CybersecurityInformation TechnologySecurity

Reasonable Cybersecurity: The Evolving Role of Board and Executive Management

cxomagazine

By Elise Elam, Digital Risk Advisory and Cybersecurity Partner, BakerHostetler

The importance of having a robust and evolving cybersecurity program is not new. What is new is an increased focus by regulators on management and board oversight of cybersecurity programs. Both federal and state regulators have recently updated regulations to clarify this point and have brought enforcement actions against or entered into consent orders with companies, citing, among other things, insufficient executive and/or board oversight.

New and Updated Regulations

Over the past few years, regulatory bodies have enacted or updated cybersecurity-related regulations requiring increased board and senior management involvement in an organization’s cybersecurity program. For example, the Securities and Exchange Commission (SEC) cybersecurity rule created new obligations that became effective in December 2023, including, in relevant part, an obligation to describe in Item 1C (a new section of Form 10-K) how the company’s management and board oversee cybersecurity risks and how management assesses and manages those risks.

The New York Department of Financial Services updated its Cybersecurity Regulation to add responsibilities of a covered entity’s “senior governing body,” including that the senior governing body must (1) exercise effective oversight of the covered entity’s cybersecurity risk management; (2) have sufficient understanding of cybersecurity-related matters to exercise such oversight (which may include the use of advisors); and (3) require the covered entity’s executive management or its designees to develop, implement and maintain the covered entity’s cybersecurity program.

Over the past few years, regulatory bodies have enacted or updated cybersecurity-related regulations requiring increased board and senior management involvement in an organization’s cybersecurity program.

Expanding Scope of Existing Law

Regulators like the SEC and Federal Trade Commission (FTC) have interpreted the statutes they enforce as requiring certain cybersecurity measures and processes. For instance, the SEC has interpreted the requirement of public companies to have appropriate accounting controls as including an obligation to have an effective cybersecurity program. Similarly, the FTC has fined companies for engaging in “unfair and deceptive trade practices” by having insufficient cybersecurity measures (and representing to consumers that the company did, in fact, have effective cybersecurity measures). Likewise, states often enforce cybersecurity measures through consumer protection laws that, when enacted, had nothing to do with cybersecurity.

Enforcement

Reviewing published consent orders between regulators and companies provides insights into what the regulators view as “reasonable security” and what those regulators expect to see in a cybersecurity program. Many consent orders specifically mandate greater oversight by company leadership.

On Jan. 15, the FTC announced it had entered into a consent order with GoDaddy for violations of the FTC Act for allegedly inadequate cybersecurity practices. The consent order requires GoDaddy to, among many other things, establish, implement and maintain a comprehensive information security program and to provide the written information security program – and any material evaluations of or material updates to the program – to GoDaddy’s board of directors (or relevant committee) or governing body at least annually and within 120 days after certain cybersecurity incidents.

In June 2024, the SEC entered into a resolution agreement with a company that agreed to pay $2.125 million to resolve disclosure and control violations alleged by the SEC regarding a December 2021 ransomware incident. In the cease-and-desist order, the SEC alleged, in relevant part, that the company failed to design effective disclosure controls and procedures to escalate information about cybersecurity incidents to management timely. 

The prior year, a multistate group of 50 attorneys general settled with software company Blackbaud Inc. for $49.5 million to resolve allegations of inadequate cybersecurity measures and misrepresentations of how it safeguarded information prior to a 2020 ransomware incident. The agreement stipulated, in relevant part, that Blackbaud shall employ a chief information security officer (CISO) who will (1) provide an annual report to the board of directors on the adequacy of Blackbaud’s information security program; (2) provide reports to the board of directors and inform, advise and update the board of directors regarding Blackbaud’s security posture and the security risks faced by Blackbaud; and (3) notify the CEO of certain security incidents within 48 hours of discovery and notify a member of the board of directors (if the CEO is not a member of the board of directors) within 72 hours of discovery.

Takeaways

To be sure, there are criticisms of overreach by regulators, including the SEC and FTC, which have attempted to shoehorn requirements for cybersecurity policies and procedures into unrelated statutes despite the fact that they were not contemplated by the statute being enforced. Regardless, board (or equivalent) and executive management oversight of an organization’s cybersecurity program is still good practice and is expected by both state and federal regulators.

So, what can your organization do to meet these requirements and expectations?

So, what can your organization do to meet these requirements and expectations?

  1. Develop an Incident Response Plan
    • Draft or update your incident response plan to include the processes for declaring, classifying and escalating a cybersecurity incident.
    • Identify in the plan the roles of the CISO and board (or senior governing body) during a cybersecurity incident, including the process for and timing of escalating incidents to leadership.
  2. Practice the Plan
    • Prior to a cybersecurity event occurring, organizations should regularly (typically annually) practice their incident response plan, usually through a tabletop exercise.
    • Consider conducting separate tabletop exercises, one for the incident response team and one for the executive leadership team, with a briefing to the board (or relevant committee).
  3. Update the Board on the Organization’s Cybersecurity Program
    • To ensure board (or senior governing body) oversight of the company’s cybersecurity program, the CISO should regularly report to the board regarding the company’s program, including material changes to and assessments of the program, as well as the cyber-related risks facing the organization. 

* * *

Following these steps will help any organization be better prepared for a cybersecurity incident, whether large or small. Importantly, having top-down support from company leadership establishes the right tone—that cybersecurity is a priority—for the entire organization.