One June 10th SEC Commissioner Luis Aguilar made a speech before the New York Stock Exchange, and he took the opportunity to discuss good corporate governance as it relates to cybersecurity and boards of directors.
It’s an opportune time. As Commissioner Aguilar noted, one recent survey showed that between 2011 and 2012, U.S. companies experienced a 42% increase in the number of successful cyber-attacks per week. Recent attacks on Adobe Systems, Target Corp., and Snapchat have affected millions of customers in each instance. And these attacks are expensive. Beyond the direct costs associated with notifying and compensating customers for data losses, the secondary reputational harm for corporations involved in severe breaches can drastically affect a company’s bottom line. Also, cyber-attacks require quick and appropriate action; miscalculated responses can multiply problems caused by the attacks themselves.
For Aguilar, this means that corporate boards should take an active role in considering cyber-attacks and possible responses to them before they happen. As he notes, the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology in February 2014, says as much. But how? The nature of the risk ensures that it will be technologically difficult to stay ahead of. Some have recommended mandatory cyber-risk education for directors. Others have suggested that boards be at least adequately represented by members with a good understanding of information technology issues that pose risks to their companies. Another way – mandated by the Dodd-Frank Act for large financial institutions but not for public companies generally – is to create a separate enterprise risk committee on the board.
In addition to proactive boards, a company must also have the appropriate personnel to carry out effective cyber-risk management and provide regular reports to the board. At a minimum, Aguilar thinks, boards should have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices.
I don’t think Commissioner Aguilar’s policy prescriptions – such as this one from 2009 about giving the SEC criminal enforcement authority – are always right. But his thoughts about cybersecurity seem to be pretty close to the mark. These attacks are here to stay, and public companies and their boards should get ready to respond. In any event, the speech is heavily footnoted and is a nice guide to the current cybersecurity landscape.
Matt Kelly has good coverage of the speech and issue at Compliance Week.