Calling All Boards of Directors: Four Recommendations from the SEC


SEC Commissioner Luis Aguilar recently spoke at the New York Stock Exchange Conference “Cyber Risks and the Boardroom.”  In his speech, Commissioner Aguilar emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week.  He cautioned,

“[B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

Commissioner Aguilar highlighted the broad duties that a board owes to the corporation.  He proffered that the board’s general role in corporate governance and overseeing risk management provides the foundation for a board’s role in addressing cybersecurity issues.  He acknowledged that boards are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk – and as a result there can be little doubt that cyber-risk also must be considered as part of a board’s overall risk oversight.

Commissioner Aguilar’s speech boils down to four recommendations to boards on what they can, and should, do to ensure that their organizations are appropriately considering and addressing cyber-risks.

1. Use the NIST Framework as Guidance

The Framework for Improving Critical Infrastructure Cybersecurity released by the National Institute of Standards and Technology (the “NIST Framework”), provides boards of directors with a set of industry standards and best practices for managing cybersecurity risks.  Commissioner Aguilar noted that although the NIST Framework is voluntary, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.  He recommended that boards work with management to assess their corporate policies against the backdrop of the NIST Framework to determine whether those policies are adequate.

2.  Institute Board Structural Changes to Focus on Appropriate Cyber-Risk Management

Companies must have someone on the board that is able to adequately understand and implement cybersecurity procedures.  Many boards lack the necessary technical expertise to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues.  This responsibility often falls to the audit committee, but they may not have the expertise or skills to add cyber-risk oversight to their long list of duties.  Commissioner Aguilar recommends that boards create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management.

3.  Maintain Appropriate Personnel

In addition to the board taking a more active role in cybersecurity issues, boards must maintain adequate personnel to manage cyber-risk on the front lines.  At a minimum, boards should have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight.  Devoting full-time personnel to cybersecurity issues may help prevent and mitigate the effects of cyber-attacks.

4.  Be Prepared!

Regardless of the mechanisms in place to prevent cyber-attacks, the company must ultimately be prepared for the inevitable cyber-attack and the resulting fallout from such attack.  Commissioner Aguilar warns that an ill thought-out response can be far more damaging than the attack itself.  He recommends that boards put time and resources into making sure that management has developed a well-constructed and deliberate response plan that is consistent with best practices for a company in the same industry.


Although Commissioner Aguilar’s speech focuses on corporate governance recommendations, it is clear that the SEC’s focus on cybersecurity grows daily.  To that end, the importance of both risk assessment and preparedness and thorough and specific disclosure of a public company’s cyber-risks and history of cyber-attacks cannot be understated.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin - Privacy & Security Matters | Attorney Advertising

Written by:


Mintz Levin - Privacy & Security Matters on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.