Cyber Risk Management Guidance for Corporate Directors

February 24, 2017

Cyber risk management is an increasingly important challenge for organizations of all kinds and sizes. Corporate directors have a legal responsibility to ensure that their corporations have appropriate cyber risk management policies and practices and are prepared to respond effectively to cyber incidents. Corporate directors can obtain helpful guidance from regulators, industry associations and other organizations.

Cyber risks are the risks of damage, loss and liability (e.g. business disruption, financial loss, loss to stakeholder value, reputational harm, trade secret disclosure and other competitive harm, legal non-compliance liability and civil liability to customers, business partners and other persons) to an organization resulting from a failure or breach of the information technology systems used by or on behalf of the organization, including incidents resulting in unauthorized access, use or disclosure of regulated, protected or sensitive data. Cyber risks can result from internal sources (e.g. employees, contractors, service providers and suppliers) or external sources (e.g. nation-states, terrorists, hacktivists, competitors and acts of nature).

Cyber risks appear to be increasing in frequency, intensity and harmful consequences as a result of various circumstances, including increasing sophistication and complexity of cyber-attacks, increasing use of information technology (e.g. increased access points and use of third-party services and infrastructure) and data (e.g. customer personal information, payment information and Big Data), increasing regulation (e.g. regulated personal/financial information and security breach reporting obligations) and increasing legal liability (e.g. privacy breach liability). Commentators have said that there are only two kinds of organizations — those that have been hacked and know it, and those that have been hacked and don’t know it yet….SOURCE

| Lexology