Recent Hacking Incidents and Cyber Threats to Director Communications: Public Companies Should Periodically Review Their Director Communication Practices to Ensure Appropriate Balance of Security and Efficiency in Light of Ongoing Cybersecurity Developments

Sullivan & Cromwell LLP - November 15, 2016

The growth in cybersecurity threats combined with the increasing demands placed on outside directors create challenges that often go beyond the risks that public companies face from employee and client communications.  If public companies cannot communicate quickly with directors or directors cannot easily share information and discuss options, corporate governance will suffer.  On the other hand, outside directors often have professional responsibilities to multiple organizations and, accordingly, are more likely to rely on electronic communications that are outside of any particular company’s technology resources.

Recent hacking incidents highlight the need for public companies to review their director communication practices to ensure that they are current and that they appropriately balance security and efficiency.  In this regard, public companies may wish to consider exploring or re-exploring alternatives that fit with their information security framework, such as dedicated company email addresses and/or board portals.  Each of these options has benefits, as well as some drawbacks in terms of residual security, record-keeping or efficiency.  Regardless of the particular approach taken, public companies should periodically review their director communications practices in light of ongoing cybersecurity developments, regularly update directors on information security risks, company practices and response protocols in the event of compromise, and consider providing technology and security support for personal devices and home offices maintained by outside directors.