Among other things, they need to ensure the right information gets to the board
Corporate secretaries have an increasingly demanding role to play in the hot-button field of cyber-security, and Simpson Thacher & Bartlett counsel Yafit Cohn recently outlined ways they can help their boards.
The role of a corporate secretary in this area includes understanding what information needs to get to the company’s directors – such as what risks the company faces and what steps the firm is taking to address them – Cohn told delegates at the Society for Corporate Governance’s national conference in San Francisco.
This includes ensuring the right amount of information reaches the board, so that it is not swamped by technical details. The corporate secretary should also ensure that the board is aware of industry best practices in tackling cyber-threats, Cohn said.
In terms of meetings and other communications, the secretary should bear in mind that board materials may be discoverable if a breach leads to a lawsuit or regulatory investigation, she noted. The agenda of board meetings should also be set such that cyber-security is discussed at least once a year, she added.
Cohn also outlined questions boards should ask in overseeing cyber-risks, which she detailed in a recent paper with Simpson Thacher partner Karen Hsu Kelley. These include:
- Has the company identified a senior person who has clear responsibility for organization-wide cyber-security preparedness and who has support from the top of the firm?
- Has management given serious consideration to how much of the budget and how many staffers are adequate for proper cyber-risk management?
- Has management developed a comprehensive, written data privacy and cyber-security program comprising appropriate policies and procedures?
- Has management instituted effective training programs teaching employees about the appropriate handling and protection of sensitive data?
- Has management taken steps to mitigate the cyber-security risks associated with outsourcing business functions to third parties?
- Does management have an effective system for staying up to date and complying with federal, state and international data security laws and regulations that are applicable to its operations?