ABSTRACT
Great idea, but what does it really mean? What is the board's responsibility when it comes to cybersecurity? The role of the board has changed in terms of cybersecurity over the past several years with the announcement from AON that cyber events are among the top three triggers for D&O derivative actions. A D&O derivative action is a lawsuit that permits a minority shareholder, as representative of all of the other shareholders, to institute proceedings on behalf of the Company in an attempt to redress a wrong perpetrated by the majority shareholders on the Company, making them personally liable for a cyber event. This is something that cyber insurance companies have been monitoring for several years and has actually come to fruition. The board's responsibility has always been to protect the business assets. However, the issue today is that 85% of the business assets are digital. How do you protect digital assets? What data do you need for meaningfully reporting that would enable the Board to make the best decisions and prioritize cyber risk reduction?
