Boards will be tempted to equate compliance with upcoming SEC cybersecurity rules to meeting a duty of oversight standard. They shouldn’t, attorneys say.
Compliance with the Securities and Exchange Commission’s cybersecurity disclosure rules once they’re finalized won’t necessarily protect your board of directors against a duty-of-oversight challenge under Caremark, say cybersecurity legal specialists in an ACC Docket analysis.
At some point a company will likely try to cite its compliance with the rules as de facto proof that its board of directors has met the standard that the closely watched Delaware Chancery Court has applied since 1996.
Under Caremark, directors have a fiduciary responsibility to stay informed on what the company is doing and act in good faith based on what they learn to meet their duty of oversight and avoid personal liability when things go wrong.