Crisis

Cybersecurity threats: do the independent directors really know?

Paul Ferrillo |

Cybersecurity threats: do the independent directors really know?

A comprehensive cybersecurity study was recently published by NASDAQ and Tanium (a leading cybersecurity consultant) on, among other things, the state of director and officers’ knowledge and awareness of cybersecurity issues within their own company. 

The study was conducted of over 1,500 executives in seven countries, including the U.S., U.K., Germany, Japan, and the Nordic countries. Our takeaways from the survey are plentiful. Given high profile breaches in both countries, U.S. and U.K. executives are certainly up on the cybersecurity game over their counterparts. With changes soon to be made to the EU cyber disclosure laws, it will be interesting to see if executives in the EU can play a good game of catchup.

One of the more interesting takeaways was the level of knowledge and awareness of U.S. non-executive directors, or “independent directors,” on cybersecurity issues. Though higher than their counterparts in the EU, we found the percentages for U.S. independent directors surprisingly low – especially given high profile breaches like Target, Home Depot, Anthem, and the U.S. Office of Personnel Management. This begs the question: why didn’t independent directors show a higher level of cyber awareness and responsibility? Was it a lack of information that bubbled up from IT management to the C-Suite and the directors? Was it a lack of time spent by the Board as a whole on cybersecurity? Or, is the answer simply somewhere in between?

As cybersecurity threats continue to mount in the U.S. (i.e. the recent spate of ransomware attacks affecting hospitals and healthcare organizations), board knowledge of cybersecurity risks is paramount. It is their fiduciary duty to be engaged and knowledgeable. But we must not place the blame on them alone. Organizations as a whole need to better communicate about cybersecurity risks, threats, and maturity levels within their organizations. Too many times, we hear at board meetings “oh, everything is just fine,” with not a lot of pushback. Well, from experience, we know everything is not just fine.

The gist is, do the independent directors know?

Paul Ferrillo is counsel in Weil, Gotshal & Manges’ Litigation Department.

Paul Ferrillo |

Cybersecurity threats: do the independent directors really know?

A comprehensive cybersecurity study was recently published by NASDAQ and Tanium (a leading cybersecurity consultant) on, among other things, the state of director and officers’ knowledge and awareness of cybersecurity issues within their own company. 

The study was conducted of over 1,500 executives in seven countries, including the U.S., U.K., Germany, Japan, and the Nordic countries. Our takeaways from the survey are plentiful. Given high profile breaches in both countries, U.S. and U.K. executives are certainly up on the cybersecurity game over their counterparts. With changes soon to be made to the EU cyber disclosure laws, it will be interesting to see if executives in the EU can play a good game of catchup.

One of the more interesting takeaways was the level of knowledge and awareness of U.S. non-executive directors, or “independent directors,” on cybersecurity issues. Though higher than their counterparts in the EU, we found the percentages for U.S. independent directors surprisingly low – especially given high profile breaches like Target, Home Depot, Anthem, and the U.S. Office of Personnel Management. This begs the question: why didn’t independent directors show a higher level of cyber awareness and responsibility? Was it a lack of information that bubbled up from IT management to the C-Suite and the directors? Was it a lack of time spent by the Board as a whole on cybersecurity? Or, is the answer simply somewhere in between?

As cybersecurity threats continue to mount in the U.S. (i.e. the recent spate of ransomware attacks affecting hospitals and healthcare organizations), board knowledge of cybersecurity risks is paramount. It is their fiduciary duty to be engaged and knowledgeable. But we must not place the blame on them alone. Organizations as a whole need to better communicate about cybersecurity risks, threats, and maturity levels within their organizations. Too many times, we hear at board meetings “oh, everything is just fine,” with not a lot of pushback. Well, from experience, we know everything is not just fine.

The gist is, do the independent directors know?

Paul Ferrillo is counsel in Weil, Gotshal & Manges’ Litigation Department.

  • [blog_shorcode_show]