As cybersecurity vulnerabilities increasingly have threatened companies' bottom lines and operational abilities, boards of directors and top executives understandably have become concerned about the protection of confidential information and ensuring uninterrupted business operations. A number of federal laws, regulations, and guidelines also require top management to ensure adequate cybersecurity, both as an ongoing part of business operations and as a prerequisite for certain corporate events, such as securities offerings, obtaining foreign investments, and exporting goods.

This chapter reviews some of the legal issues that often arise in these scenarios. First, the chapter reviews the Securities and Exchange Commission's (SEC's) expectations for cybersecurity of publicly traded companies, as well as the general fiduciary duty that companies have to shareholders, and how that applies to cybersecurity. The chapter then examines the cybersecurity expectations of the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments in U.S. companies.

The laws and regulations discussed in this chapter affect different areas of corporate governance and in some cases are not directly related. SEC regulations require companies to be transparent to investors about cybersecurity challenges and incidents. Courts hold that companies violate a fiduciary duty when they harm shareholders by egregiously failing ...