Corporate directors have a legal responsibility to ensure that their corporations have appropriate cyber risk management policies and practices, and are prepared to respond effectively to cyber incidents. That responsibility derives from the director’s duty of care, which requires a director to exercise the care, skill and diligence that a reasonably prudent person would exercise in comparable circumstances. The duty of care requires a director to proactively supervise management and make informed, properly advised decisions.
Regulators, self-regulatory organizations and industry associations have emphasized that corporate directors must be engaged and take an active role in cyber risk management activities, and must ensure that management has properly implemented appropriate policies and procedures to manage cyber risks and to effectively respond to cybersecurity incidents.
Corporate directors can obtain helpful guidance, including risk governance frameworks and questions to ask management, from various regulators, organizations and associations. Recently published guidance includes the NACD Director’s Handbook on Cyber-Risk Oversight (January 2017) and World Economic Forum’s Advancing Cyber Resilience Principles and Tools for Boards (January 2017).
Read more here.