Attorney outlines corporate secretaries’ cyber-security role

Among other things, they need to ensure the right information gets to the board

Corporate secretaries have an increasingly demanding role to play in the hot-button field of cyber-security, and Simpson Thacher & Bartlett counsel Yafit Cohn recently outlined ways they can help their boards.

The role of a corporate secretary in this area includes understanding what information needs to get to the company’s directors – such as what risks the company faces and what steps the firm is taking to address them – Cohn told delegates at the Society for Corporate Governance’s national conference in San Francisco.

This includes ensuring the right amount of information reaches the board, so that it is not swamped by technical details. The corporate secretary should also ensure that the board is aware of industry best practices in tackling cyber-threats, Cohn said.

In terms of meetings and other communications, the secretary should bear in mind that board materials may be discoverable if a breach leads to a lawsuit or regulatory investigation, she noted. The agenda of board meetings should also be set such that cyber-security is discussed at least once a year, she added.

Cohn also outlined questions boards should ask in overseeing cyber-risks, which she detailed in a recent paper with Simpson Thacher partner Karen Hsu Kelley. These include:

  • Has the company identified a senior person who has clear responsibility for organization-wide cyber-security preparedness and who has support from the top of the firm?
  • Has management given serious consideration to how much of the budget and how many staffers are adequate for proper cyber-risk management?
  • Has management developed a comprehensive, written data privacy and cyber-security program comprising appropriate policies and procedures?
  • Has management instituted effective training programs teaching employees about the appropriate handling and protection of sensitive data?
  • Has management taken steps to mitigate the cyber-security risks associated with outsourcing business functions to third parties?
  • Does management have an effective system for staying up to date and complying with federal, state and international data security laws and regulations that are applicable to its operations?

You must be registered to comment.

Please Sign In or Register.

Everything you need to know about cyber-threats but were too afraid to ask - Cyber-security 101 -

To improve an organization’s security IQ, everyone needs to have a better understanding of where the risks are and what can be done to eliminate potential threats. Without solid security education and training, everyone within an organization puts his or her company in jeopardy of a data breach and its potential fallout, which includes costly fines and often a reputation hit.

This white paper will discuss:

  • Cyber-security risks
  • Types of attacks
  • How to prevent and protect yourself from future attacks

Please click here to download the report.


Diligent is the leading provider of secure corporate governance and collaboration solutions for boards and senior executives. More than 3,300 clients in more than 60 countries rely on Diligent to provide secure, intuitive access to their most time-sensitive and confidential information, ultimately helping them make better decisions. The Diligent Boards solution speeds and simplifies how board materials are produced and delivered via iPad, Windows and web tools. For more information, please visit

We use cookies to make our website function properly and deliver our services. By using our website, you agree to our use of cookies, please click here to learn how to manage and delete cookies.