Geopolitical unrest, cyber attack board tasks
Russia’s invasion of Ukraine has made cybersecurity threats imminent and fueled the geopolitical attention of ransomware gangs. Given U.S. sanctions on Russia, the possibility of retaliatory cyberattacks by Russian actors or their proxies has increased dramatically, exposing every U.S. business to cyberattack risk.
Russian ransomware gangs have directly threatened nations and organizations that retaliate against Moscow for its invasion. The Conti gang, infamous for cyberattacks on Ireland’s healthcare system, have pledged “full support to [the] Russian government” and promised to use “all possible resources to retaliate against [infrastructure] of an enemy” who launches “a cyberattack or any war activity against Russia.
In response, US security officials, including the Department of Justice and the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), have issued warnings to companies about these cyberattack risks.
How to protect your business and yourself
To mitigate risk, boards should insist that management develop a computer security program and monitor the reliability of that program. Drawing on guidance from the DOJ on how to assess the design, implementation, and effective operation of corporate compliance programs in the enforcement of U.S. foreign corrupt practices law, it may be in the interests of directors to address the same issues.
These include: Is the compliance program well designed? Is it applied seriously and in good faith? In other words, does the program have sufficient resources and is it empowered to operate effectively? Does the compliance program work in practice?
CISA has issued guidance encouraging leaders to take these steps: (i) hold information security officers accountable; (ii) lower reporting thresholds; (iii) participate in a response plan test; and (iv) favor continuity.
In addition to the above, the DOJ and the Securities and Exchange Commission also consider factors such as whether senior management has (i) clearly articulated corporate standards, (ii) communicated them in unambiguous terms, (iii) strictly adhered to them, and (iv) we anticipate that stakeholders will ask similar questions to determine whether corporate boards have fulfilled their fiduciary duties in relation to cyberattacks.
To ensure that the answer to the previous questions is “yes”, boards should consider evaluating current cybersecurity systems, adding talent with expertise in this area, and including updates and cybersecurity discussions at regular meetings.
It is also relevant to create a crisis preparedness plan. Here are some of the questions to consider in ensuring data security: (i) Is the data backed up? (ii) How do employees communicate or access key data if forced to work offline due to a cyberattack? and (iii) If files are compromised, what procedures are in place to notify those who had information that was part of the breach?
As cybercriminals become more sophisticated and technology evolves, the list of procedures businesses must put in place to properly protect their customers and employees will continue to grow.
The impact of a cyber breach on fiduciary duties
In the wake of geopolitical turmoil, administrators and executives are facing growing concern over data security as various state and federal regulatory agencies implement increasingly stringent rules around this space.
States have adopted new consumer data privacy regulations, such as the California Consumer Privacy Act (CCPA), which is comparable to the European General Data Protection Regulation (GDPR). Other states, such as New York and Colorado, have also adopted data security requirements.
Recently, in response to the Log4j vulnerability found in commonly used software, the Federal Trade Commission issued a statement indicating that it would consider taking no action to mitigate the risk this software poses as “endangering the security of users”.
Meanwhile, the SEC recently proposed a series of rules and amendments, including requirements for investment advisers and funds, to implement cybersecurity protocols and report cybersecurity incidents.
Given the increase in cybersecurity risks and regulatory oversight, boards should consider how these risks may relate to their oversight responsibilities under the care mark doctrine. The court in Merchant c. Barnhill, explained that the care mark The doctrine allows directors to be held personally liable for a breach of their duty of loyalty if they do not make “a good faith effort to set up a monitoring system and then monitor it” regarding risks “essential to the mission “. The Delaware court recognized that “[c]Cybersecurity has increasingly become a core compliance risk deserving board-level oversight…”.
As cybersecurity threats increase, boards should be aware of how their companies approach cybersecurity in risk management, their governance, and their internal and external reporting structure around cyber and assess whether they need to bring in other admins with cybersecurity experience.
As the war between Russia and Ukraine continues to rage and US-centric hacker groups such as Anonymous have made public statements waging a cyberwar against Russia, US-based companies States are at increasing risk of cyberattacks. Cybersecurity is in the spotlight in a way the world has never seen before, so it is of the utmost importance that directors and leaders take the necessary steps to protect their businesses, their stakeholders and themselves. even in this troubled time.
This column does not necessarily reflect the opinion of the Bureau of National Affairs, Inc. or its owners.
Write for us: guidelines for authors
Cynthia J. Cole is the assistant department manager for the corporate section of the Palo Alto and San Francisco offices of Baker Botts. She focuses on corporate, strategic and technology transactions, data privacy and cybersecurity.
Danny David is Co-Chairman of the Litigation Department of Baker Botts. He specializes in securities litigation and regularly represents corporations and directors in securities class actions and fiduciary duty lawsuits in Texas, Delaware and across the United States.
Travis Wofford is chairman of the corporate department at Baker Botts in Houston, vice president of the global M&A practice and member of the Securities Opinion Committee. He focuses on mergers and acquisitions, shareholder engagement and corporate advisory work, and advises clients on matters of fiduciary duty and corporate governance, including the monitoring of transactions between shareholders and parties. linked.
Hailey Ullmann is a legal assistant at Baker Botts.