Board Oversight of Cybersecurity

more+
less-

Cyber-attacks on U.S. companies have increased over recent years resulting in significant costs to companies.  According to surveys, U.S. companies have experienced a 42% increase between 2011 and 2012 in the number of cyber-attacks they experienced per week[1] and the average annualized cost of cyber-attacks for various U.S. companies surveyed in 2013 was $11.56 million, which represents a 78% increase since 2009.[2] Cyber-attacks may also expose companies to business disruptions, negative publicity, reputational harm and litigation.

SEC Commissioner Luis Aguilar addressed cybersecurity threats in his presentation at the “Cyber Risks and Boardroom” Conference held in June, 2014.[3]  At this conference, Commissioner Aguilar stressed the importance of board oversight of cybersecurity risks stating that “. . . ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.”[4]  In addressing the oversight responsibilities of boards of directors, Commissioner Aguilar stated that, at a minimum, boards of directors should work with management to assess company policies with respect to cybersecurity to ensure that such policies are consistent with the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.[5]

Commissioner Aguilar stated that companies may consider implementing one of the following measures to help ensure that the board of directors have the ability to adequately meet their cybersecurity oversight responsibilities:

  • Require mandatory cyber-risk education for directors;
  • Have the board be adequately represented by members with a good understanding of information technology issues that pose risks to the company; or
  • Create a separate enterprise risk committee on the board.[6]

Commissioner Aguilar’s comments do not necessarily represent the views of the U.S. Securities and Exchange Commission.


[1] See 2012 Cost of Cyber Crime Study: United States, Ponemon Institute LLC and HP Enterprise Security (Oct. 2012) available at http://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf.

[2] See HP Press Release, HP Reveals Cost of Cybercrime Escalates 70 Percent, Time to Resolve Attacks More Than Doubles  (Oct. 8, 2013), available at http://www8.hp.com/us/en/hp-news/press-release.html?id=1501128.

[3] See Cyber Risks and the Boardroom, Commissioner Luis A. Aguilar (June 10, 2014) available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.U_8-Wz4o6Um.

[4] See id.

[5] See id.

[6] See id.

 

Topics:  Board of Directors, Corporate Governance, Cyber Attacks, Cybersecurity, Risk Assessment, Risk Management

Published In: General Business Updates, Privacy Updates, Science, Computers & Technology Updates, Securities Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Winstead PC | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »