Why Cybersecurity Matters to Boards

Why Cybersecurity Matters to Boards

You're a board director. You have a fiduciary duty to the company and its shareholders. Cybersecurity is part of that duty.

It's a shareholder value issue.

A material breach can tank stock price. Target's breach cost $18.5M plus lasting reputation damage. Yahoo's breach triggered a $350M reduction in acquisition price.

Your job is to protect shareholder value. A preventable breach destroys it on your watch.

It's a fiduciary duty issue.

Delaware corporate law is clear: directors have a duty to be reasonably informed. That includes cybersecurity risk.

What does "reasonably informed" mean? You understand:

• What data the company holds and the risk if it's lost
• What controls are in place to protect it
• What the CISO says the maturity level is
• What risks remain and how they're being managed

You don't need to know how to hack a firewall. You do need to know the company's threat landscape.

It affects your personal liability.

If the company has a material breach and the board was negligent about cybersecurity oversight, directors can be personally liable.

It affects insurance and M&A.

Insurance: Cyber insurance premiums are rising. Insurers won't pay if controls were obviously inadequate. A good posture equals lower costs.

M&A: Acquirers do cybersecurity due diligence. A weak posture kills deals or tanks valuation.

Bottom line: Cybersecurity isn't a technical problem. It's a business risk and a fiduciary duty.