Cybersecurity, Risk Management, And How Boards Can Effectively Fulfill Their Monitoring Role
Victoria C. Wong
Posted Tuesday, April 11, 2017

In light of recent and well-publicized consumer data breaches, corporate directors and management are rightfully concerned about improving cybersecurity for the benefit of the firm, its shareholders, and consumers. Much attention has been focused on cybersecurity as a means for the board to fulfill its duty to monitor, as articulated under Caremark. Scholars and practitioners alike have forwarded recommendations to advise boards on how to improve security efforts as a means to avoid litigation. This article argues that such concerns are overblown, as a closer inspection of Caremark’s progeny reveals that duty to monitor litigation will almost always fail. To demonstrate why this is so, this article uses two case studies involving the duty to monitor — the Target and Wyndham Hotel data breaches and resultant shareholder litigation. Although director liability is unlikely, recasting cybersecurity as a corporate governance concern explains why directors still wish to avoid shareholder litigation. Specifically, even absent the risk of personal liability, directors should and do consider reputational concerns, board reelection, and consumer reactions following a data breach. This article briefly concludes with board recommendations to avoid shareholder litigation in the context of cybersecurity.