Cyber-attacks on U.S. companies have increased over recent years resulting in significant costs to companies. According to surveys, U.S. companies have experienced a 42% increase between 2011 and 2012 in the number of cyber-attacks they experienced per week[1] and the average annualized cost of cyber-attacks for various U.S. companies surveyed in 2013 was $11.56 million, which represents a 78% increase since 2009.[2] Cyber-attacks may also expose companies to business disruptions, negative publicity, reputational harm and litigation.
SEC Commissioner Luis Aguilar addressed cybersecurity threats in his presentation at the “Cyber Risks and Boardroom” Conference held in June, 2014.[3] At this conference, Commissioner Aguilar stressed the importance of board oversight of cybersecurity risks stating that “. . . ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.”[4] In addressing the oversight responsibilities of boards of directors, Commissioner Aguilar stated that, at a minimum, boards of directors should work with management to assess company policies with respect to cybersecurity to ensure that such policies are consistent with the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.[5]
Commissioner Aguilar stated that companies may consider implementing one of the following measures to help ensure that the board of directors have the ability to adequately meet their cybersecurity oversight responsibilities:
-
Require mandatory cyber-risk education for directors;
-
Have the board be adequately represented by members with a good understanding of information technology issues that pose risks to the company; or
-
Create a separate enterprise risk committee on the board.[6]
Commissioner Aguilar’s comments do not necessarily represent the views of the U.S. Securities and Exchange Commission.
