Why boards need to be paying attention to cybersecurity now

Contrary to popular belief, cybersecurity is not an operations issue! Cybersecurity is frightening and board love to disassociate by saying it is “operational” and thus not their responsibility. However, it is a critical issue for the whole organization and the legal requirements for corporate boards to pay attention to this issue are growing. With increasing numbers of data breaches and cyber-attacks, the legal landscape is rapidly evolving to protect both organizations and their customers from the consequences of these events. Here are a few key legal requirements that corporate boards should be aware of when it comes to cybersecurity:

  • Data protection laws: Many countries have enacted data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), that require organizations to take appropriate measures to protect the personal data of their customers and employees. This includes implementing technical and organizational measures to prevent unauthorized access to personal data, and ensuring that the company has a process in place for responding to data breaches.
  • Cybersecurity regulations: Some industries, such as finance and healthcare, have specific cybersecurity regulations that companies must abide by. These regulations can include requirements for regular risk assessments, incident response plans, and the implementation of security technologies.
  • Contractual obligations: Companies often have contractual obligations to their customers and partners to protect the data they are entrusted with. Failing to meet these obligations can result in financial and reputational damage, and may even lead to legal liability.
  • Corporate governance laws: In many countries, corporate boards have a fiduciary duty to ensure that the company is managed in the best interests of its shareholders. This includes taking steps to protect the company’s assets and data from cyber threats.
  • Tort law: Companies can also face legal liability under tort law if they fail to take reasonable steps to protect their customers’ data. This can include negligence, breach of contract, and misrepresentation claims.

Corporate boards must be aware of the growing legal requirements around cybersecurity. Failure to meet these requirements can result in legal liability, financial losses, and reputational damage. By staying informed about the latest laws and regulations, conducting regular risk assessments, and implementing appropriate security measures, corporate boards can help ensure that their organizations are protected from cyber threats and meet their legal obligations. I outlined a number or items a board should be doing in my post on corporate boards: The role of the corporate board in cybersecurity – Paul Bergman

Verified by MonsterInsights