OpinionThe critical role of directors in cybersecurity in the new era
Opinion
The critical role of directors in cybersecurity in the new era
"A well-defined strategy for managing cyber risks is no longer a luxury but a necessity," write Pearl Cohen's lan Gerzi and Sahar Ezer
Cyberattacks are no longer just a technical issue; they represent a global strategic, economic, and social challenge, reshaping the agenda in the business and legal worlds. The damage caused by these attacks, estimated in trillions of dollars annually, compels companies to adopt new risk management standards.
The case of Ilya Lichtenstein, which culminated in a court ruling this month, is one of the most prominent examples of cybercrime, symbolizing the severity of these threats in the digital age. Lichtenstein, a Russian American hacker, successfully breached Bitfinex's trading system in 2016 and stole 120,000 bitcoins—valued today at over $10 billion. Together with his wife, the couple carried out a complex operation to launder the funds using thousands of digital wallets and cryptocurrency trading platforms. The case highlights how easily massive crimes can be committed using only a computer, presenting a significant challenge for global cybersecurity systems.
The cyber threat has become a global phenomenon that threatens countries, organizations, corporations, and individuals alike. The scope and frequency of cyberattacks increase year by year, requiring the business world to adapt to the new reality. Common attacks include ransomware, where hackers lock systems and demand ransom to release them; phishing, where sensitive information is stolen by impersonating legitimate emails; and distributed denial-of-service (DDoS) attacks, which cause systems to collapse through artificial overload. These attacks not only cause enormous financial damages but also harm reputations and public trust. Therefore, companies, and especially their boards of directors, bear great responsibility for preventing such cases.
Addressing these challenges requires tailored responses, including technology, awareness, and strategic crisis management. In 2023 alone, attackers reportedly extorted approximately $450 million in total, with an average ransomware payout of $1.7 million per incident. However, the total damage incurred by organizations far exceeded the ransom amounts, often by 50 times. Ransom payouts are expected to rise dramatically in the coming years.
The rise of cyber threats does not exclude company boards from the equation. While in the past cybersecurity was perceived as the sole responsibility of IT departments, it is now clear that it is a comprehensive responsibility of management and the board of directors. In Israel, the Securities Authority has established clear guidelines stating that the board is responsible for formulating cybersecurity policy, overseeing risk management, and ensuring a proper response to threats. Directors are obligated to ensure strict oversight of security systems, that the organization effectively addresses regulatory requirements, and that actions are taken to prevent attacks and manage cyber incidents during emergencies.
This responsibility is further emphasized in key legal precedents. In the case of Palkon v. Holmes in New Jersey, the issue of board liability was examined following three significant data breaches at Wyndham Worldwide Corporation, a publicly traded hospitality company. The breaches compromised the personal data of 600,000 customers. The investigation revealed that the board acted responsibly, learning from each breach, hiring technology firms to investigate, implementing security improvements, and holding frequent discussions on the issue. The court dismissed the lawsuit against the board, concluding that these actions demonstrated responsible and diligent risk management, despite the extent of the damage.
Related articles:
- As we did in cybersecurity, it's time to declare AI a national project and establish Israel's first AI capital
- Cyera doubles valuation to $3B with $300M Series D, total funding hits $600M in seven months
- Claroty veterans launch Twine with $12M in Seed funding from Dell and Wiz founders to deploy AI cyber workers
In Israel, notable cases illustrate the importance of boards managing cybersecurity risks. For example, the 2020 cyberattack on Shirbit resulted in the leak of 22,639 sensitive documents, including personal, banking, and medical information of the company’s clients. Plaintiffs alleged that the company had been negligent in securing its data and was insufficiently transparent about the extent of the breach. As part of a settlement, approximately 4.8 million NIS were paid to affected customers, and Harel, which acquired Shirbit, committed to improving its security infrastructure.
In the 21st century, where cyber threats are an integral part of the business landscape, boards must adopt a proactive approach to risk management. Their role extends beyond passive monitoring of performance metrics; it includes close supervision, directly or through relevant advisors, of cybersecurity risk management. This entails developing appropriate policies, establishing and implementing procedures, ensuring the protection of personal and private data, preparing for potential attacks, and facilitating system and business recovery after an incident.
Directors are required to ensure the existence of thorough processes for assessing cybersecurity risks in collaboration with relevant department heads. They must make efforts to strengthen security systems not only as a protective measure but also to comply with increasingly stringent global regulations. Special attention should be given to threats to personal data privacy, which demand not only prevention of the next incident but also effective, transparent crisis management if one occurs.
A well-defined strategy for managing cyber risks is no longer a luxury but a necessity. Boards must take an active role in shaping advanced cybersecurity policies, ensuring the use of cutting-edge technologies, and preparing the organization for swift and effective responses to any potential scenario. Proper management of this area safeguards not only the company’s assets but also the trust of customers and investors.
Ilan Gerzi is a partner and the chair of the Israel Capital Markets and Securities Practice Group at Pearl Cohen Law Firm. Sahar Ezer is an associate in the Israel Capital Markets and Securities Practice Group at Pearl Cohen Law Firm.
