From: New York Law Journal
David A. Katz and Laura A. McIntosh
“The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.”1
In today’s technology driven environment, public companies must constantly confront the challenge of cybersecurity, in its complex, varied, and ever-adapting forms. Cybersecurity breaches regularly fill the headlines,2 the costs of cybercrime are skyrocketing,3 and the repercussions of corporate cyber-attacks are felt all the way from chief executives to retail customers. President Barack Obama has stated that “the private sector and the government can, and should, work together to meet this shared challenge,”4 while FBI Director Robert S. Mueller has described “the critical role the private sector must play in cyber security.”5 As companies become increasingly dependent on networked technology, and as an expanding number of people conduct transactions and other activities online, cybersecurity will continue to grow in importance for the business community, for the global economy, and for society at large.
Pressure for boards to establish and maintain high standards for the management of cyber-risk comes not only from government officials, regulators, and shareholders but also from plaintiffs’ lawyers, as expanding class action litigation in this area is an unfortunate repercussion of increasing cybercrime. Recent regulatory initiatives and the adoption of the National Institute of Standards and Technology (NIST) Framework earlier this year6 offer guidance for boards of directors as they work to understand and oversee the myriad aspects of corporate cybersecurity.