Michelle Reed, David Turetsky Quoted in Cybersecurity Law Report on Boards and Cyber Risk

For its article “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability,” The Cybersecurity Law Report interviewed Akin Gump litigation partner Michelle Reed and cybersecurity, privacy and data protection practice co-head David Turetsky on boards of directors and their need to understand—and protect against—cybersecurity threats.

On the role of the board, Turetsky said, “There’s been an increase in cyber risk to companies over the last five years, if not longer. As the exposure and risk to the company increases, so do the board’s responsibilities in identifying, defending and ensuring that the company is appropriately prepared and that the risk level they’re taking on is one that is appropriate to their business,” adding that, as information security risks increase, “the board has a responsibility to step up its own game accordingly.”

He noted that board is particularly suited to have an oversight function because its “responsibilities uniquely cross the kind of lines that sometimes lead to silos in companies.”

Looking at the use of subcommittees to handle cybersecurity issues, Reed said, “The board should have a role in establishing a subcommittee of the board that reviews cybersecurity risks [that should be] reviewing the overarching structure and making sure that critical defenses exist and that key policies exist that are enforced. Usually there is some pre-established committee that it makes sense to assign this role to, but having a committee that has this on their radar as one of their responsibilities is what’s important.”

Turetsky added that this could be a board committee on cybersecurity or a risk management committee, noting that, while audit committees often have this responsibility, they are overburdened, which can make it difficult to do what is necessary.

On the frequency of reports to the board, Reed said, “It varies depending on the type of company you are and the current risk assessments. Certainly you’ll want some reports from the [CISO] or the [CIO] and likely also the [CPO] at least annually.” She added that companies should scale that based on risk: “[I]f the company has just experienced a breach, the board will likely want more frequent updates. If you have had a risk assessment that has revealed significant gaps, you will want more frequent updates. But at least annually, every company, no matter how solid their reports are, should have some reports from the CISO or their counterpart.”

Turetsky added that most boards will want to hear more often than on an annual basis and that these updates should include results from testing of the penetration and incident response plan and evolving threats, among other topics.

Finally, on the topic of the general counsel’s office, Turetsky noted that, “[T]he general counsel plays an important role and part of his or her job is to help ensure the board is getting the necessary kind of information and attention in this area.” Reed said that, on both prevention and response, “In-house counsel is a key facilitator with the board.”