"Responding to Shareholder Inquiries re Cybersecurity Oversight"
Oversight of a company’s risk management programs is one of the chief responsibilities of the board of directors, and for many companies cybersecurity risks rank among the key areas for scrutiny. It’s little surprise, therefore, that some institutional investors are reportedly sending detailed questionnaires to directors of public companies seeking extensive information about the company’s systems for oversight and control. Those are legitimate questions for directors of both public and private companies, and they call for thoughtful responses. Yet, completing and returning an extensive questionnaire is often not the best response, for several reasons.
Public companies must, and many private companies should, provide thoughtful information about risks and risk oversight by the directors. Today, a discussion of cybersecurity risks is appropriately featured in many public disclosures. Making appropriate information available to all investors has the benefit of avoiding selective disclosures of material nonpublic information or violating the Board’s fiduciary duties. Responding to a detailed questionnaire from an institutional investor who represents a subset of your investors is risky, however, because, unlike a public disclosure, the information is being shared with a limited audience.
A further complication is how rapidly the cybersecurity state of the art can change. Companies who are actively managing their cybersecurity risks will regularly make adjustments and enhancements to their cybersecurity systems. If a company responds specifically to a questionnaire, its response could become outdated very quickly. The company is then in the awkward situation of having an out-of-date disclosure in the hands of an investor that (who?) may rely on it.
Finally, inappropriate detail about a company’s cybersecurity risk management could be used to circumvent the controls in place and actually increase the risks to investors. Potential hackers are always looking for chances to exploit existing weaknesses and access company data. Placing detailed information into the hands of a third party adds an unnecessary layer of vulnerability.
These considerations shouldn’t deter shareholders from seeking rigorous cybersecurity risk management and oversight or deter management and directors from engaging in appropriate dialogue about it. High level information about these matters is appropriate and should be available to all interested shareholders. Nevertheless, providing detailed and specific disclosures about the particular controls in place on a piecemeal basis can do more harm than good and should be carefully considered.