Calling All Boards of Directors: Four Recommendations from the SEC
Written by Adam Veness
SEC Commissioner Luis Aguilar recently spoke at the New York Stock Exchange Conference “Cyber Risks and the Boardroom.” In his speech, Commissioner Aguilar emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week. He cautioned,
“[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Commissioner Aguilar highlighted the broad duties that a board owes to the corporation. He proffered that the board’s general role in corporate governance and overseeing risk management provides the foundation for a board’s role in addressing cybersecurity issues. He acknowledged that boards are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk – and as a result there can be little doubt that cyber-risk also must be considered as part of a board’s overall risk oversight.
Commissioner Aguilar’s speech boils down to four recommendations to boards on what they can, and should, do to ensure that their organizations are appropriately considering and addressing cyber-risks.
1. Use the NIST Framework as Guidance
The Framework for Improving Critical Infrastructure Cybersecurity released by the National Institute of Standards and Technology (the “NIST Framework”), provides boards of directors with a set of industry standards and best practices for managing cybersecurity risks. Commissioner Aguilar noted that although the NIST Framework is voluntary, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes. He recommended that boards work with management to assess their corporate policies against the backdrop of the NIST Framework to determine whether those policies are adequate.
2. Institute Board Structural Changes to Focus on Appropriate Cyber-Risk Management
Companies must have someone on the board that is able to adequately understand and implement cybersecurity procedures. Many boards lack the necessary technical expertise to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues. This responsibility often falls to the audit committee, but they may not have the expertise or skills to add cyber-risk oversight to their long list of duties. Commissioner Aguilar recommends that boards create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management.
3. Maintain Appropriate Personnel
In addition to the board taking a more active role in cybersecurity issues, boards must maintain adequate personnel to manage cyber-risk on the front lines. At a minimum, boards should have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight. Devoting full-time personnel to cybersecurity issues may help prevent and mitigate the effects of cyber-attacks.
4. Be Prepared!
Regardless of the mechanisms in place to prevent cyber-attacks, the company must ultimately be prepared for the inevitable cyber-attack and the resulting fallout from such attack. Commissioner Aguilar warns that an ill thought-out response can be far more damaging than the attack itself. He recommends that boards put time and resources into making sure that management has developed a well-constructed and deliberate response plan that is consistent with best practices for a company in the same industry.
Although Commissioner Aguilar’s speech focuses on corporate governance recommendations, it is clear that the SEC’s focus on cybersecurity grows daily. To that end, the importance of both risk assessment and preparedness and thorough and specific disclosure of a public company’s cyber-risks and history of cyber-attacks cannot be understated.