Over the course of my career I’ve had the privilege to serve on numerous Boards of Directors of both public and private organizations. It’s a great honor to have the shareholders and stakeholders of an organization put trust in you, and fellow board members, to watch out for their interests as the highest stewards of that organization. It’s also an honor that comes with great responsibility because if the Board fails, individual board members can be held personally liable.
That’s why deciding to accept a directorship requires meaningful thought. There’s no failsafe playbook for this decisioning process but elements certainly need to include an evaluation of what the business does and what markets it operates in, whether the management team has shown itself to be competent and trustworthy, and at a practical level, if the company maintains the right type of D&O insurance. Some of these elements might be personal in nature such as whether you support the nature of the business itself, and some are very practical like confidence in management.
I’ve used my own decisioning framework consistently for many years until very recently when it became necessary to add a new and very practical element: the need to understand how the organization understands and manages its cyber risk. It’s an issue that has become too important, and too relevant to the Board, to simply trust as a byproduct of trusting management and believing that the organization probably spends a lot of money and has smart cybersecurity folks.
That’s because events of the last few years have shown that spending a lot of money and having smart cybersecurity folks does not solve the problem. Companies like Maersk, Merck, FedEx, Marriott and others all presumably had seasoned cyber leaders, spent extraordinary amounts of money and thought that their insurance programs were sound, only to look back on major events that cost hundreds of millions of dollars and wonder how they could have gotten everything so wrong. That coupled with the SEC’s 2018 new guidance on how companies should achieve a proactive understanding of their cyber risk, Moody’s announcement that it will start considering cybersecurity in financial ratings, and the recent D&O settlement related to Yahoo’s security breach all combine to definitely embed cybersecurity as a Board of Directors concern.
Therefore as a Board concern and one that speaks specifically to a Board’s fiduciary responsibility, prospective Board members ought to evaluate cybersecurity specifically. But how, given the deeply technical nature of the concern and language that is foreign to most people outside of the cybersecurity discipline?
My advice is to use the following four-part evaluation framework: