Photo: Shutterstock

Recent regulatory developments make it clear that cybersecurity is a board-level issue, intimately tied to the stewardship and overall risk profile of an organization.

SEC Cybersecurity Disclosure Guidance

In 2011, the U.S. Securities and Exchange Commission issued guidance on cybersecurity incident disclosure. Earlier this year, on Feb. 26, the SEC updated its guidance to further emphasize the criticality of cybersecurity preparedness for public companies, advising corporate directors to consider “the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.” The guidance also included reminders about applicable insider trading obligations related to disclosures of “material nonpublic information about cybersecurity risks or incidents.” While not explicitly calling for cybersecurity knowledge at the board level, the guidance does emphasize a growing list of cybersecurity topics directors must consider to effectively manage risk.

General Data Protection Regulation (GDPR)

Another example of the increased focus on data protection and its implications for cybersecurity comes from the European Union (EU). Two years after its adoption, enforcement of the General Data Protection Regulation (GDPR) began on May 25, 2018. This means that many companies around the globe are now obligated to take additional steps to protect the data of their customers and employees. While this regulation is specific to companies dealing with personal data originating in the EU or European Economic Area (EEA), its extraterritorial reach is already transforming the cybersecurity posture of organizations worldwide.

GDPR stipulates principles not only for protecting commonly held personal data such as name, address and ID number, but, in fact, any unique identifier of a “natural person” (living human being) under the law. Depending on context, this may encompass geolocation, IP address and cookie information. Political, racial, sexual and genetic data points receive special protections under the regulation. Due to its breadth, companies are spending millions to comply by leveraging several variations of cybersecurity and privacy controls. Accordingly, it is important for a board to understand whether compliance money is being spent effectively and in a way that will help mitigate against the risks of being fined for GDPR noncompliance. Depending on the category and severity of a violation, penalties for noncompliance can be as significant as 20 million euros (close to $25 million in USD) or 4 percent of annual global turnover (revenue), whichever is higher.

Ultimately, the GDPR is principles-based rather than prescriptive, making it open for interpretation. There are six principles that must be followed when processing personal data, along with an underlying principle of accountability to demonstrate compliance. To prevent security breaches and lawfully process personal data, organizations must take into account the “state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk” when implementing safeguards to protect their personal data. Such language provides an opportunity for board members to offer guidance based upon experiences across multiple organizations to ensure that appropriate cybersecurity protections are adopted to meet ever-evolving threats.

NIS Directive

Another cybersecurity regulatory development is the European Union's NIS Directive, which member states were required to implement as national legislation by May 9. Focused on critical industry sectors, rather than data types, the directive mandates heightened cybersecurity requirements for organizations in the energy, transport, water, health, finance and critical digital service sectors. This means that board members in such sectors must ensure that cybersecurity capabilities and practices meet these standards.

Australian Data Breach Notification

Though not a holistic cybersecurity law, Australia recently implemented the Notifiable Data Breaches scheme, raising data breach notification requirements for companies that make $3 million (AUD) or more, as well as those in specific sectors, such as health care. This increases the impetus for Australian organizations to adopt cybersecurity measures to prevent data breaches, as well as to develop a plan for identifying, responding to, and reporting breaches when they occur.

Canada's Breach of Security Safeguards Regulations

Earlier this year, Canada updated its existing Personal Information Protection and Electronic Documents Act (PIPEDA) to enhance breach reporting obligations. Where an organization experiences a personal data breach that is reasonably believed to pose a “real risk of significant harm” to individuals, it must notify the privacy commissioner and the individual “as soon as feasible.” This duty to inform requires that organizations provide information about the significance of the breach and recommended steps to mitigate harm. These new regulations go into effect on Nov. 1 and mean that boards should ensure that their organizations are able to adequately investigate and assess security incidents as part of a plan to report them, where appropriate.

NACD Director's Handbook

One of the key realities of recent developments is that cybersecurity is no longer a suggestion—companies that do not protect personal data and make notifications in a timely manner are subject to substantial fines.

Appropriately, the National Association of Corporate Directors (NACD) released a Director's Handbook on “Cyber-Risk Oversight” just last year. In this 2017 document, one of the guiding principles states, “Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.” The remaining principles address the need to not merely understand cybersecurity as an IT risk, but to comprehend the legal implications of cyber risks, setting the expectation that cyber risk management frameworks are developed, and understanding the types of conversations related to cyber risks that should be happening at the board level.

Drew Bagley is vice president and counsel, privacy and cyber policy at CrowdStrike.