In the face of ever-increasing concerns about corporate cybersecurity, directors are recognizing that they must educate themselves about the data privacy and security threats that their companies face, and be proactive about managing those risks. Cybersecurity has been the subject of guidance from the SEC, shareholder demands, and growing regulation.
Cyber risk is unavoidable. As former White House cybersecurity and counter-terrorism officer Richard Clarke commented at a recent program presented by the New England Chapter of the National Association of Corporate Directors,
“Corporate America is comprised of only two types of companies: those that have been hacked and know it, and those that have been hacked and don’t know it.”
Clarke and three other experts – Art Coviello of EMC and RSA, Jeffery Brown of Raytheon, and world-famous hacker turned consultant Chris Goggans – offered the following advice for directors who are concerned about developing cybersecurity strategies for their companies:
- Identify your company’s most important information assets and develop a strategy to protect them;
- Since you probably can’t prevent all cyber-attacks, focus on preventing the worst-case scenarios;
- Don’t just rely on your own IT professionals – engage outside experts to audit your cybersecurity systems just as you would use external financial auditors;
- Develop clear authority and responsibility for cybersecurity, with board-level oversight; and
- Prepare a plan for dealing with the inevitable successful cyber-attack, including strategies for complying with applicable disclosure laws and communicating with stakeholders, business partners, customers, and the media.
For further details about this program, see the NACD New England website.