FTC Expectations For Corporate Board Level Oversight of Cybersecurity
The Federal Trade Commission (FTC) has published expectations for corporate board level oversight of cybersecurity. They advise every member of every board: “Don’t underestimate your role in data security oversight”.
The FTC’s role in cybersecurity flows from its mission of protecting consumers and competition by preventing anticompetitive, deceptive and unfair business practices. They have both consumer protection and competition jurisdiction in broad sectors of the economy and they pursue vigorous law enforcement in their domain. Congress has empowered them with authority to adopt industry-wide trade regulation rules. In cybersecurity, the FTC has shown a strong bias towards protecting consumer data and employee data, as well as ensuring statements made by corporations on data security are not deceptive.
The FTC has prosecuted cases and brought legal action against firms they believe are not operating optimal data security practices (including by using deceptive descriptions of what they do). Some recent examples of famous cases include those against SkyMed International, Tapplock, and Zoom.
With that introduction in mind, here is what the FTC is saying corporate boards should do to ensure they are applying appropriate oversight of corporate cybersecurity activities:
- Make data security a priority: Boards should know it is their priority, not something for the IT department. Corporate boards should prioritize data security and set the tone of a culture of security for the entire company. Board level oversight should be the standard, not delegating to the audit committee or others. And security briefings should be regular events.
- Understand the cybersecurity risks and challenges your company faces: Since a strong security program starts at the top, stay informed on the true risks and challenges and keep a good understanding of the dynamic threats in cybersecurity.
- Don’t confuse legal compliance with security: Cybersecurity threats change rapidly and no “check in the box” approach will meet the risk mitigation needs of the corporation. Boards should ask the tough questions regarding risk mitigation, not just about compliance.
- Know it is more than just prevention: Ensure reasonable precautions are in place but be ready to respond when there is an incident. This includes having external counsel and technical response teams under contract and ready to activate.
- Learn from mistakes: Put in place a process to learn from incidents and get regular briefings on incidents in your sector.
What to know and do and to about this recent FTC guidance:
- Current and aspiring board members should take this as yet another demand signal to continuously improve your knowledge on cybersecurity issues.
- For most corporations, cybersecurity is a critical risk and appointing a board member with specialized experience will greatly benefit board activities on this issue.
- C-Suite leaders should proactively get information to board members on the nature of the dynamic cybersecurity threats facing the organization and controls being put into place to mitigate those threats. Results of recent threat modeling activities and red team exercises should be proactively presented to the board.
- FTC’s jurisdiction includes authorities to prosecute against false claims of security. All corporations should understand that even unintentional mistakes or misstatements for marketing purposes could cause risks to the corporation. Reviewing any cybersecurity, data protection or other related statements or marketing made by your corporation for accuracy in cybersecurity is a prudent step. C-suite leaders doing this review should be savvy enough on cybersecurity to be able to ask hard questions to ensure statements are correct.
- C-Suite leaders should prepare themselves for coming shifts in how boards interact on topics of cybersecurity.