The Boards New Mandate: Cybersecurity as a Fiduciary Responsibility

Board of Directors and Management teams of connected products companies play a leading role in cybersecurity governance

The landscape of corporate governance is changing very rapidly. For too long, cybersecurity, while acknowledged as important, has often been viewed as a technical IT problem, delegated down the organizational chart. That era is over. Today, in our interconnected world, especially for those of us building and owning the foundational components of the Internet of Things, cybersecurity has ascended to the level of a core fiduciary responsibility.

This isn't merely about protecting assets; it's about protecting the very future and integrity of the company, and by extension, personal and collective liability.

The Evolving Legal and Governance Landscape

Recent years have seen a dramatic evolution in how regulators, courts, and shareholders perceive cybersecurity failures. The message is clear: inadequate cybersecurity oversight is no longer an excusable operational mishap; it is a governance failure.

The following changes have occurred recently:

• Increased Regulatory Scrutiny: Regulators across the globe, from the SEC in the United States to stricter product cybersecurity mandates in Europe and beyond, are explicitly requiring more robust disclosure and proactive risk management around cybersecurity. They are demanding transparency and accountability from the top.

• Shareholder Lawsuits and Derivative Actions: Following significant data breaches or cyber incidents, boards and executives are increasingly facing shareholder lawsuits. These actions allege that directors breached their duty of care by failing to adequately oversee cybersecurity risks, leading to corporate harm.

• Personal Liability: The concept of "caremark" claims (named after the court case Caremark International Inc.)– alleging a breach of the duty of oversight – is expanding to cybersecurity. Directors can be held personally liable for a failure to implement a reasonable information system for reporting and oversight of critical risks, including cyber risks. The recent D&O (Directors and Officers) insurance market reflects this, with premiums rising and coverage becoming more complex, directly acknowledging the heightened personal risk.

• Supply Chain Vulnerability: IoT manufacturers’ products are integral to critical infrastructure, homes, and businesses. A vulnerability in a component or device could have cascading effects throughout the global supply chain, exponentially increasing exposure and potential liability.

The takeaway is clear: the responsibility for cybersecurity now sits firmly in the boardroom.

Board’s Role: Oversight, Not Operations

The Board’s mandate is not to become cybersecurity experts, nor to manage the day-to-day operations of the security program. Instead, critical responsibilities revolve around oversight and strategic guidance:

1. Understand the Risk Landscape: Demand clear, concise, and comprehensive reporting on the company's cybersecurity risk posture, including product risk. This isn't just about metrics like the number of attacks blocked, but the impact of potential incidents, the maturity of your controls, and your residual risk.

2. Ensure a Robust Security Program: It is advisable to make sure that management is implementing and adequately resourcing a comprehensive, risk-based cybersecurity program aligned with industry best practices (e.g., NIS 2, IEC 62443, ISO 27001). This includes secure product development lifecycles, supply chain security, incident response planning, and regular security audits.

3. Approve Adequate Investment: Cybersecurity is an investment, not an expense to be cut. Ensure that sufficient budget and skilled personnel are allocated to maintain and improve your security posture, proportionate to the risks faced and the value of the assets protected.

4. Promote a Security-First Culture: Board’s visible commitment to cybersecurity sends a powerful message throughout the organization. Reinforce that security is everyone's responsibility, from design engineers to sales teams.

5. Regularly Review Incident Response Plans: Beyond prevention, how quickly and effectively can a company detect, respond to, and recover from a cyber incident? The board must understand and periodically review these plans, including communication strategies with stakeholders, regulators, and customers.

6. Seek Independent Assurance: Consider engaging independent third parties for regular security assessments, penetration testing, and audits. This provides an objective view of your security posture and demonstrates due diligence.

Risk-Based Reporting: A New Language for the Board

The three essential risk-based reporting topics for connected product company's board to oversee cybersecurity risk are:

1. Financial Exposure to Top IoT Cyber Risks (Risk Quantification):
   Risk metric: Likelihood and Estimated Financial Loss ($) for your top specific IoT threats (e.g., a critical flaw in the device's over-the-air update mechanism being exploited, a data breach of customer PII/telemetry data, or a botnet taking down a service).
   Board Insight: Enables the board to set risk appetite (what losses are acceptable/catastrophic) and prioritize security investments based on potential financial ROI. This moves the conversation beyond "Is our security good?" to "How much risk are we financially exposed to and what is the cost-benefit of mitigation?"

2. Product Security and Vulnerability Management Maturity: The security of the product itself is the primary risk. The board needs assurance that security is "Secure by Design" and that the lifecycle is managed.
   Risk Metric: Software Bill of Materials (SBOM) Coverage/Completeness: Percentage of product components (including third-party libraries) with a clear, up-to-date SBOM.
   Board Insight: Shows if the company is meeting industry best practices (like those proposed by the EU's Cyber Resilience Act) and actively mitigating embedded risks in its products, which directly affects long-term customer trust and legal liability.

3. Regulatory Compliance and Third-Party Risk: IoT devices often involve complex global supply chains and handle vast amounts of sensitive data, making compliance a major financial and reputational risk.
   Risk Metric: Compliance Status Score: A simplified, high-level score (e.g., Red/Amber/Green or percentage compliant) against key regulations impacting the business (e.g., forthcoming sector-specific IoT regulations like the CRA or RED or voluntary programmes like US Cybersecurity Trust Mark). High-Risk Vendor/Supply Chain Exposures: Number and type of critical third-party vendors (e.g., cloud providers, component suppliers) that fall below the company's minimum cybersecurity standards.
   Board Insight: Confirms the company is proactively managing legal and financial liabilities associated with data privacy and global compliance, including the inherent risks introduced by its hardware/software supply chain.

The Time to Act is Now

The IoT development companies stand at the forefront of this evolving risk. The devices we create are the building blocks of critical systems, and a security flaw in one component can escalate globally. Brand reputation, customer trust, and long-term viability depend on well thought out cybersecurity governance.

As Board Directors and top management, our engagement is no longer optional; it is a must.