Shearman & Sterling’s 17th annual Corporate Governance & Executive Compensation Survey includes a chapter titled, “Cybersecurity – Preparing for the Changing Landscape” (beginning on page 30) by Lona Nallengara, partner in the Capital Markets practice and Emma Maconick, partner in the Intellectual Property Transactions Group at Shearman & Sterling.
As the cybersecurity and data protection landscape changes, risk management continues to be an important priority on the agendas of public company boards, government authorities, institutional investors, employees and customers. Some of the chapter’s key takeaways include:
- GDPR and the increasing importance of data security and privacy – GDPR in the EU has influenced similar protective legislation in the US, specifically around the collection of personal data. The California Consumer Privacy Act, the precursor to a US version of GDPR legislation, is the first step into a more comprehensive data privacy and information security regulatory framework.
- Cybersecurity is a financial reporting matter – The SEC wants to make issuers and other market participants aware that cybersecurity risks should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Cybersecurity is an enterprise-wide risk management issue and adds a new layer of attention for companies who may face an SEC enforcement investigation related to a failure to have adequate internal controls.
- Government regulation and oversight is only getting started – The Cybersecurity and Infrastructure Security Agency (CISA), a federal agency within the Department of Homeland Security, focuses on coordination of cybersecurity across all levels of government which may help companies better handle these issues. Congress is also getting involved and has considered legislation. In fact, a recent bill would require companies to disclose whether or not the board has a “cybersecurity expert.”
- What should boards do now? Understand your company’s risks, policies and legal requirements; no part of the business should solely be responsible for managing and addressing risks; third parties are important too – many companies have outsourced or contracted critical technology and non-technology functions to third parties.