Implicit within Delaware law, and now explicit in the SEC Cyber Rules, is the concept of adequate governance. It is not what the FTC just said on a particular topic, the latest guidance from a Data Protection Authority, what the NIST framework provides, or a set of controls in any particular subject area regarding privacy or cyber. Governance of a corporation is purely a matter of internal affairs, and while individual programs may be managed or “governed”, that is not governance under Delaware law. Sixty percent of the Fortune 500 are incorporated in Delaware, and as a result Delaware law plays an outsized role in defining issues like governance. And now that the SEC has added a specific disclosure requirement regarding cyber governance, it is all the more important to have a consistent definition and approach.
This graphic captures what governance is, including escalation, as represented by the green dashed line, coming from “measurement and reporting”, which is essentially the information systems/information gathering capability of a company. It should be noted that governance obviously includes both oversight and operations concepts.
Direction is the first step, and that is set by Delaware General Corporations Code Section 141, which provides, “every corporation organized under this chapter shall be managed by or under the direction of a board of directors…” To help further differentiate these points that follow, the direction that is set is a broad vision for a company.
Strategy is inherent in the business judgment rule, a core principle of Delaware law, and as summarized by the state of Delaware, “Although some major transactions require the consent of stockholders as well as the approval of the board, the board generally has the power and duty to make business decisions for the corporation. These decisions include establishing and overseeing the corporation’s long-term business plans and strategies, and the hiring and firing of executive officers.” That provides us the concept of strategy being part of governance.
Oversight is a concept imbedded within the business judgment rule, and it is also part of the Caremark standard that serves as a potential basis for director and officer liability.
Controls, and measurement and reporting also come directly from Delaware law. As noted most recently in In re McDonald’s Corporation Stockholder derivative litigation, “another critical part of an officer’s job is to identify red flags, report upward, and address them if they fall within the officer’s area of responsibility. Once again, pause and envision an officer telling the board that their job did not include any obligation to report or red flags or address them.”
That returns us to the original graphic—the governance process—and why this is the process that should be used. Here we see one final point—that the process itself is the same no matter the subject matter area. While the controls are different in other subject areas when the process is keyed to a different subject, the process remains the same. This also illustrates a common misconception among subject matter experts—controls are not governance. They are part of governance, but they are not by themselves governance.
Having an understanding of this concept is critical as companies try and build compliant and resilient privacy and cybersecurity programs.
For more information on cybersecurity processes, or how public companies can prepare for compliance, please contact your DLA Piper relationship partner, the authors of this blog post, or any member of our Data Protection team.