Cybersecurity Starts at the Top: Risk Oversight Begins in C-Suite and Boardroom


Corporate directors and managers have a duty to make decisions in favor of long-term shareholder wealth maximization.  Bound by these fiduciary duties and standards, the executive team and the board must also comply with consumer protection laws requiring investments in data security and public disclosure of breach incidents.  How to protect shareholder value while protecting a company’s reputation, trade secrets, intellectual property – and the public – presents a difficult but essential balancing act.  For example, an executive team might find that mere compliance with statutory data security requirements does not go far enough to protect and sustain long term shareholder value, lending support for a decision to invest more and go beyond the legal requirements to protect shareholder value long term.  Similarly, too hasty notification to the public of a breach incident may cause unnecessary reputational harm or interfere with law enforcement investigations; accordingly a thoughtful breach incident procedure must be in place that complies with applicable laws while upholding a company’s reputation. 

To provide guidance about decisions like these to C-Suite and the Boardroom, the Security Roundtable, a consortium of cybersecurity and privacy experts including the New York Stock Exchange and Palo Alto Networks, Inc., recentyl published a guide to cybersecurity governance and risk management for publicly traded companies who owe a legal duty to their shareholders.  The guide, entitled Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, is a collection of industry best practices to help assess cybersecurity risks, prepare for data breaches and effectively handle the aftermath of a breach.  The guide is designed to assist those in C-Suite and the Boardroom with decisions that may have considered the realm of technologists.

Officers and directors engaged in risk oversight should begin with a self evaluation to identify and mitigate privacy and data security risks.  Marashlian & Donahue, PLLC offers a free Privacy Impact Assessment (PIA) tool to assist you in your evaluation, available on our Information Privacy, Data Security and Consumer Protection Practice website.

Neither the Security Roundtable guide nor the PIA guide should be solely relied upon as legal guidance for your cybersecurity practices.  A business should always consult with counsel to discuss its specific practices and how they may be affected by the privacy and data security law.  If you have any questions regarding cybersecurity matters or wish to design steps that can protect your business, contact Linda McReynolds, the head of our Information Privacy, Data Security and Consumer Protection Practice, at

ATTORNEY ADVERTISING DISCLAIMER: This information may be considered advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers

Sign Up To Receive Our
Advisories and Compliance Alerts

Sign up for our email list to receive notifications regarding new advisories and news