We recently had another reminder—as if one were needed—about the threat companies face from data security breaches and other cyber threats, whether targeted at their own networks and products or those of companies they do business with.
In August, prosecutors in New York and New Jersey joined the SEC in announcing insider trading charges against hackers inside and outside the United States who broke into computer servers at widely-used wire services, and used the embargoed information to trade ahead of market-moving corporate announcements.
The damage caused by the 2014 Sony and 2013 Target data breaches—not to mention more recent revelations about the hacking of personnel records at the U.S. Office of Personnel Management, or the 1.4 million vehicles recalled after exposure of an entertainment system security flaw that may have left the vehicles vulnerable to remote commandeering—underscores both the scale and the pervasiveness of this multifaceted threat.
The spate of alarming news has directors asking what the board’s role should be in protecting the company from cyber threats, and many boards have arrived at the conclusion that cybersecurity risk oversight is a fundamental component of the board’s oversight of risk management generally. There are good reasons for this view. No matter the industry, a company touched by a cybersecurity breach or flaw can be exposed to heavy liabilities— spanning public relations nightmares, loss of customers, product recalls, shareholder litigation and regulatory investigations. And we have seen enough widely-publicized examples of these consequences in the last five years that corporate boards are on notice of the rapidly metastasizing risk facing their companies.
While large numbers of boards don’t appear to be setting up standalone committees to handle cybersecurity oversight, boards are thinking about where in the existing committee structure these risks should be addressed—for example, whether the audit committee, which often has initial responsibility for risk oversight, should be tasked with cybersecurity risk oversight as well. Different companies will take different approaches, but most boards will want to understand:
Which members of the management team own cybersecurity risk
What is being done to identify and scope cybersecurity risks; for example, whether management is using the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or another industry-specific framework
How management ranks the various cyber threats faced by the company
What financial and employee resources and insurance coverage are available to mitigate cybersecurity risk
What policies and training have been instituted around cybersecurity risk
What testing and other programs are employed to assess and mitigate cybersecurity risk
The details of management’s game plans if the company is exposed to a cybersecurity event.
