Law Blog Categories


Cybersecurity in Corporate Governance

Published on : 25 May 2019

Cybersecurity in Corporate Governance- A Global Purview

The historical backdrop of cybersecurity started with a research venture. A man named Bob Thomas understood that it was feasible for a computer program to move over a system, leaving a little trail wherever it went. He named the program Creeper, and structured it to travel through Tenex terminals on the ARPANET, and thus printing the message as "I am the Creeper, catch me if you can."

A man named Ray Tomlinson (the same person who evolved email) saw this thought and liked it. He amended the program and made it self-recreating—the primary PC worm. At that point, he composed another program—Reaper, the first antivirus programming—which would pursue Creeper and erase it.

It's funny to think again from where we are presently, in a time of ransomware, fileless malware, and country state assaults, and understand that the predecessors to this issue were less unsafe than today. And we have so evolved from there to here.

The term Cybersecurity alludes to the innovations and procedures intended to guard computer frameworks, programming, systems and client information from unapproved access; also from dangers disseminated through the Internet by cybercriminals, hackers, and terrorist groups. Cybersecurity is nothing but shielding your gadgets and system from unapproved access or modification. The Internet is just not a source of information; however, it is likewise a medium through which individuals work together and do business.

Today, individuals utilize the Internet to publicize and sell items in different structures, speak with their clients and retailers, and perform money related exchanges. Because of this, programmers and cybercriminals utilize the web as a device to spread malware and complete digital assaults.

Cybersecurity means to ensure the computers, systems, and software programs from such cyberattacks. The majority of these cyberattacks are done to get access, or to change, or to erase sensitive information; to extort money from such victims of these attacks, or to purposely interrupt daily business activities.

Types of Cybersecurity Risks and Threats

Ransomware: It is a malware type where an attacker locks up the victim’s computer and its system with files, mainly through encryption, and thus putting up a demand of money to decrypt the files and unlock the system.

Malware: It is any such file or program that is used to harm a computer, such as computer viruses, worms, spyware and trojan horses.

Social engineering is such an attack that depends on human conversations to trap users into breaking security strategies so as to have access to delicate data that is normally ensured.

Phishing: It is a type of fraud where fraudulent emails are directed towards individuals making such email resemble of being from reputable sources; but in actual, the aim of such emails is to abstract sensitive data, for example, credit card details and login information.

Corporate Governance concerning cybersecurity

As there emerges any new and important issue, may it be of business losses, gains, or of a certain breach, it is directed to the board of directors for discussion labeling it to be extremely complex and sophisticated. Cyber risks have developed through a long span of time, and they are surely here to stay with more threats than ever before.

Board of directors in the company do discuss cybersecurity into their meetings and agendas at several times in a year. But the speed and with the danger that cyber risk is growing, it will eventually become a standard practice to discuss and include cybersecurity as an ordinary item on the agenda.

As the complexities of innovation and technology proceed to advance and threaten corporate occupations, the board of directors should build up their very own insight about technical issues and depend on technical experts as a feature of best practices for good corporate governance.

Board directors in their individual capacity might not have the technical specialization to comprehend the complexities engaged with cybersecurity. Nonetheless, in their individual capacity, together with other board and with the help of other specialized technical experts, they should keep on looking for approaches to fortify the security efforts of their corporation.

While the board of directors need not directly involve themselves with the cybersecurity concerns, they shall be aware of the various areas that they look into that has some level of cyber risk.

Board directors are concerned and responsible directly for the risk management of the company, which also includes the management of cyber risk. Boards must look into the area of their internal controls that will alarm the board and keep updated with the potential cyberattacks.

Board of directors likewise bear the obligation to ensure that their management is being considered responsible for constantly preparing and training the team that is concerned with the maintaining of corporation's security. Board likewise need to ensure that IT groups or other security groups are performing thorough testing all the time, ideally by outsiders. While the usage of the system for cybersecurity rests decisively with senior administration, board executives are in charge of supervising their endeavors and considering them responsible.

Cyber breaches can lead a firm or the corporation for legal complexities. Board director’s primary duty is to follow and be obedient to federal, state or local laws and thus secure the corporation from unwanted litigations. As a feature of good governance, it is the duty of the board to protect all its employees, stakeholders, shareholders against all the legal problems resulting out of such cyber risks.

Cybersecurity is just like any other enterprise management-level risk. Thus, it is for the management and board to evaluate cybersecurity as they would assess any other risk. Board needs to look into the area of cybersecurity with the aspects of how to avoid the risk, how can the risk be mitigated, what are the possibilities of insuring against it, and take important decisions directly connected with such risks. Board has to minutely study their cyber insurance policy and confirm that the policy coverage is enough wide to cover all the risks that the corporation may be facing from time to time. It must be the task of the Cyber risk analysts to update the board with the information regarding reputational and financial costs that the corporate may have to incur in the event of a breach.

It is important for the board to shift their focus on the concerns of cybersecurity, keep themselves updated with the same and take prompt actions in case of a breach as the risks in the cyber world are evading manifold due to the expertise that these hackers are trained and practiced.

Many companies are hiring and creating a position for a Chief Security Officer (CSO) or a related corporate executive position. These executive personnel may be responsible for:

  • Development with the implementation of a plan that will protect the company from cyberattacks.
  • Training the workforce on cybersecurity risks.
  • Developing such systems that will prevent cybersecurity breaches.
  • Creating backup plans to overcome the contingency of a security breach and thus avoid an adverse impact on business.





From a legal perspective, there are certain guidelines for some specific industries through various laws such as Sarbanes-Oxley, HIPPA, and Graham-Leach-Bliley. But for some private companies, the best practices to develop cybersecurity are yet to evolve and research to achieve the same is in the process. It is important for these private entities to partner with the government for developing cybersecurity through collective discussions and recommendations.

Cybersecurity will turn into an inexorably imperative issue for organizations of all sizes. The legal principles will develop after some time and may take a very long time to be broadly embraced as best practices. Those organizations giving the most consideration to the danger of cybersecurity will be less affected and will be in a position to avoid and combat unexpected liabilities.