Can boards ever be held liable for security breaches?

Security Strategy & RoadmapFinancial ManagementThreat Intelligence & Incident Response
2.7k views4 Comments
VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees
When I got my administration promotion, I had to sign the paperwork that said I could be held personally liable—all of a sudden, I wasn't sure I wanted to be promoted.
2
Global CIO & CISO in Manufacturing, 201 - 500 employees
Due diligence, due care and the interpretation of that—plus the ability to prove that from a directors and officers liability insurance (D&O insurance) standpoint—should scare every director into making sure that they have a specific security, cybersecurity, and IT focus in one of the committees, or as a fully subset committee. You can ask quite a few technology companies who will tell you that if they keep their security under one of the other groups, it's a massive liability. Depending on the incorporation documentation, I believe that every director at the board level would be held liable.
2
Director of Information Security in Energy and Utilities, 5,001 - 10,000 employees
Yes. If they fail to complete at least certain level of due diligence and invest adequate resources into cybersecurity (publicly traded companies at least).
1
Chief Information Officer in Healthcare and Biotech, 1,001 - 5,000 employees
This is a great question! In my experience, there is nothing to stop shareholders from pursuing derivative or private lawsuits around data breaches. From what I have seen in the media, there have been no individual directors and officers held personally liable for the costs of a data breach to date. But I suspect that will change very soon. However, the risk of individual liability can be mitigated by taking appropriate security proactive measures.

If I remember correctly in the Caremark decision, a Delaware court indicated that directors CAN be held personally liable for failing to monitor and supervise the enterprise. It is a general understanding that a company's board of directors must make a good faith effort to implement an adequate corporate information and reporting system. Failing to do so could be considered a failure of the board to act in preventing a loss resulting from a breach.

I fully expect the Federal Trade Commission to step up the enforcement of corporate data security standards via regulatory actions in the near future.
2

Content you might like

Did anyone else catch this stat on Crunchbase: "M&A deal-making in the cybersecurity space continues to slow with only 13 deals announced for VC-backed startups in the first quarter of the year"  Do you think the decrease in cybersecurity M&A is going to impact innovation or could it lead to consolidation in terms of vendor offerings (that is perhaps a needed change)?

Security Strategy & RoadmapSecurity & GRCInnovation
Read More Comments
1.2k views1 Upvote4 Comments

Is anyone going to any of these conferences?

Security & GRCSecurity Strategy & RoadmapPersonal Development

SANS Cyber Security Leadership NOVA10%

ENISA Cybersecurity Standardisation Conference 202343%

Gartner Security & Risk Management Summit13%

SANS Cyber Security East (Feb edition)3%

Nope30%


119 PARTICIPANTS
577 views

What's a quick win for optimizing spend? What's been your focus or "lowest hanging fruit"?

People & LeadershipStrategy & ArchitectureCloud+28 more
Read More Comments
1.6k views4 Upvotes3 Comments

Accelerating the move towards a cloud infrastructure - how do you decide / what applications go first? Which are top of the list for you currently?

Strategy & ArchitectureCloudEnd-User Services & Collaboration+10 more
Read More Comments
1.2k views2 Upvotes4 Comments

Cyber threat hunting is gaining momentum in the industry. If you are offering this as part of your advanced security services, which challenges are you experiencing?

Security & GRCDevice ManagementThreat & Vulnerability Management+9 more

Poor efficiency of the detection and threat hunting solution (SIEM/SOAR, EDR solutions)49%

Too much time wasted on false positive alerts64%

Lack of security skills and defined processes46%

Not enough demand in the market6%


211 PARTICIPANTS
567 views1 Upvote