Earlier this week SEC Commissioner Luis A. Aguilar gave a speech at the New York Stock Exchange on "Boards of Directors, Corporate Governance and Cyber-Risks," in which he strongly urged directors to focus on the need for increased oversight of cyber-risks:
Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company's cybersecurity measures needs to be a critical part of a board of directors' risk oversight responsibilities.
Commissioner Aguilar recommended that directors take the following four steps:
- Use the Framework for Improving Critical Infrastructure Cybersecurity released by the National Institute of Standards and Technology as a guide;
- Consider cyber-risk education for directors, recruiting a director who knows information technology, or creating an enterprise risk committee to focus attention on cyber-risks;
- Make sure the company has appropriate personnel to manage cyber-risks; and
- Prepare a plan for responding to cybersecurity breaches.
For further discussion and analysis of Commissioner Aguilar's speech, please check out this posting by our colleague Adam Veness on Mintz Levin's Privacy & Security Matters blog, which also has an excellent Cyber-Risks Boardroom Series. You can also find information about the SEC's cybersecurity initiatives here.