Article prepared by and republished courtesy of our colleague Vinny Sanchez; originally published here: http://www.dlapiper.com/corporate-governance-also-means-protecting-your-technology-and-information/.
Not a day passes without news of a data breach or cyber-attack on a company’s operations or a nation’s critical information infrastructure. Indeed, data security and operational risk are the top two concerns of public company directors and general counsel, according to the 2012 Law and the Boardroom Study conducted by FTI Consulting, Inc. and Corporate Board Member. Disaster recovery, e-discovery and company reputation also rank high among top issues keeping directors and GCs up at night.
Today, company operations and shareholder value depend more than ever on the successful acquisition, implementation and operation of technology. Online interactions with customers have created the expectation that companies will be continuously open for business. Viruses, worms, spoofing and cyberwars cannot stop this expectation, and the consequences of failing to be available online 24/7 harm a company’s reputation and, ultimately, its value.
Even the SEC has weighed in on the materiality of these risks, proffering guidelines as to when public companies should disclose information regarding cyberattacks. The White House and Congress continue debating how they will influence the private sector’s approach to protecting the critical information infrastructure, and an Executive Order addressing cybersecurity issued in February this year will likely affect almost every company, public or private.
Yet a cursory review of public company boards shows that few have actually formalized oversight of the technology and information challenges their companies face. A McKinsey study suggests that corporate directors are evenly split between those who believe these topics receive insufficient attention in the boardroom and those who believe the attention is “about right.” The study suggests that having at least one tech-savvy board member “significantly affected strategic initiatives or direction to address technology-based threats and opportunities.”
Directors’ duty of care includes protecting technology and information
Disruptive technologies are not just changing business models but driving some companies to extinction. Corporations are investing heavily in innovation, as evidenced by the rise of Chief Innovation Officers, so as to transform their businesses and remain relevant. At the center of these changes are technology and the information it enables.
But as technology evolves, one fact remains the same: corporate directors owe fiduciary duties to the corporation and its shareholders, among them the duty of care. Directors have a duty to protect corporate assets and minimize exposure to third-party liability. A company’s most critical assets, in the 21st century, clearly include its IP, technology and information.
In an effort to fulfill the duty of care to protect these vital assets, some boards have formed committees focusing on protection and strategic use of intellectual property and technology. Very few of these committees, however, specifically address the risks associated with data and the need to keep it secure.
The technology and information committee
Boards of directors should proactively undertake efforts to implement an oversight structure (or enhance an existing one), that is more focused on their duty to protect the company’s IP, technology and information assets, while at the same time minimizing the company’s exposure to third-party liability.
The committee’s name is less relevant than its purpose, but should reflect its vital mission. Existing examples include “Science and Technology Committee,” “Technology and Operations Committee,” or simply “Technology Committee.” However, given the increasing importance on information governance, the committee name should reflect this reality.
The committee’s mission
Technology committee missions vary depending on the nature of the business and the industries in which the company operates, but the emphasis should be to help protect the value of company IP and information assets. For some public companies, existing committees focus on research and development. Others have a wider focus that may encompass:
overseeing the quality of the intellectual property portfolio
recommending approaches to acquiring and maintaining technology positions
providing recommendations for execution of management’s technology strategies
monitoring the technology portfolio and information technology platforms
reviewing emerging technology opportunities and competitive issues and
reviewing system security and contingency measures
The board, as well as shareholder value, will benefit significantly from tech-savvy board members and advisors, especially those who can foresee the potential impact of evolving or disruptive technologies. In addition, the board will benefit from members or advisors who understand how the company may derive value from its IP and information assets as well as the technical, operational and legal challenges of leveraging those assets.
The way forward
Directors, officers and general counsel need to concern themselves with the rising risks posed by cyberthreats and disruptive technologies to their companies’ operations and reputations. We are about to enter a time in which government regulators, shareholders, customers and others will call directors and officers to account for their roles in the oversight of a company’s IP, technology and information. The time to act is now − before the next data breach or evolutionary technology disrupts not just your company but your career.
For more information about the implications of cybersecurity for your company’s governance, please contact Vinny Sanchez. See DLA Piper’s coverage of the latest legal, regulatory and policy developments around cybersecurity law by visiting this page.