Experiencing a corporate cyber-attack is not a matter of “if” but “when” and boards of directors are quickly realizing that cybersecurity risk, formerly the province of corporate IT executives, has suddenly become fertile boardroom territory.
Yet cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly and detailed responses, including digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies, fulfillment of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan – and the list goes on. And besides the more predictable workflow, a company is exposed to other even more intangible costs as well, including temporary or even permanent reputational and brand damage; loss of productivity; extended management drag; and a negative impact on employee morale and overall business performance.
So what is the role of a board of directors amid all of this complex and bet-the-company workflow? Corporate directors clearly have a fiduciary duty to understand and oversee cybersecurity, but there is no need for board members, many of whom have limited IT experience, to panic. Cybersecurity engagement for members of the board does not mean that board members need to have computer science degrees or personally supervise firewall implementation or intrusion detection system rollouts. Instead, board oversight of cybersecurity entails, most importantly, asking the right questions and being thoughtful, deliberative and informed about cybersecurity and its attendant risks.
By partnering with John Reed Stark Consulting, a board of directors can instantaneously meet its cybersecurity-related fiduciary obligations and oversight responsibilities, and draw upon more than 20 years of cybersecurity and data breach response experience, expertise and independence.
Learn More
For more information about John Reed Stark’s capabilities and expertise, review his recent articles and webcasts on cybersecurity and incident response in his Publications and in his blog, entitled Stark on IR. A few relevant samples include:
Article | TOP CYBERSECURITY CONCERNS FOR EVERY BOARD OF DIRECTORS, PART FOUR: DATA MAPPING AND ENCRYPTION
TOP CYBERSECURITY CONCERNS FOR EVERY BOARD OF DIRECTORS, PART THREE: TECHNOLOGY
TOP CYBERSECURITY CONCERNS FOR EVERY BOARD OF DIRECTORS, PART TWO: PEOPLE
TOP CYBERSECURITY CONCERNS FOR EVERY BOARD OF DIRECTORS, PART ONE: GOVERNANCE
Parts 1,2 3 and 4 of a 4-part comprehensive and plain English series, published by NASDAQ, for board members and their advisers.
Article | Boards of Directors and Cybersecurity: Applying Lessons Learned From 70 Years of Financial Reporting Oversight
Webcast | Cybersecurity and Financial Firms: Legal Counsel as Quarterback for Data Breach Incident Response
About John Reed Stark
John Reed Stark President of John Reed Consulting LLC. Served for 15 years as an SEC enforcement attorney leading cyber-related projects, investigations and enforcement actions; For 11 years as Founder/Chief of SEC Office of Internet Enforcement; For 15 years as Adjunct Professor at Georgetown University Law School teaching cyber law; For 10 years as a Guest Instructor at the FBI Academy; For 5+ years as Managing Director (three as head of the Washington, D.C. office) of Stroz, Friedberg, a global digital risk management firm, leading cybersecurity, incident response and digital compliance engagements for corporations. Appointed since 2017 as Senior Lecturing Fellow at Duke University Law School teaching law of cybersecurity and data breach response. Author of The Cybersecurity Due Diligence Handbook. 
