Cybersecurity Incident as Black Swan or Corporate Negligence
Another Black Swan
The "black swan theory" refers to a big event that comes as a surprise, that has a major effect. Black swan events were introduced by Nassim Nicholas Taleb in his 2001 book Fooled By Randomness, which concerned financial events. His 2007 book The Black Swan extended the metaphor to events outside of financial markets. Taleb regards almost all major scientific discoveries, historical events, and artistic accomplishments as "black swans" — undirected and unpredicted. He gives the rise of the Internet, the personal computer, World War I, dissolution of the Soviet Union, and the September 2001 attacks as examples of black swan events.
At what point is a line crossed that escalates facts from "unpredictable event” to “basic negligence” to “lack of good faith”? The existence of cyber red flags is not, in itself, an indication of director liability or ineffective oversight, but rather paints an emerging picture of the challenges facing the board.
Corporations on Fire
Like it or not corporate law will evolve to hold corporate directors more accountable for cybersecurity oversight (Lunn 2014). Serious cybersecurity threats are a common and growing risk to corporate value, and breaches or failures to protect these computer systems and their data can have grave consequences to a firm’s future. Directors have duties of care and loyalty, and the obligation to act on a well-informed basis on important issues impacting corporate affairs.
From Corporate Negligence To Corporate Governance on Cybersecurity
A. Have a clear, written board charter for cybersecurity oversight noting responsibilities and scope. The charter is similar to a well-considered Audit Committee charter or in some cases is an element in the Audit Committee charter.
B. Corporate Policies & Processes covering the many elements of cybersecurity.
C. The implementation of a director education program on cybersecurity.
D. The recruitment of directors with cybersecurity skills, knowledge and abilities consistent with the threats the company faces.
E. The use of outside advisors with specialized skills.
F. Attainment of appropriate security or technical certifications by key staff, overseen by the board and top management.
G. The existence of employee communication and training programs appropriate for threats the company faces.
H. Regular, systematic board engagement in cyber oversight, similar to internal audit consideration of policy, practices, reporting, and resource sufficiency as the result of a systematic risk management process.
I. Appropriate documentation of the above and a systematic methodology for continuous improvement (Lunn 2014).
References
Lunn, Brad. 2014. "Strengthened Director Duties of Care for Cybersecurity Oversight: Evolving Expectations of Existing Legal Doctrine", Journal of Law and Cyber Warfare.
Taleb, Nassim Nicholas. 2007. The Black Swan: The Impact of the Highly Improbable (1st ed.). London: Penguin.