On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.
Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:
review annual budgets for privacy and IT security programs;
assign roles and responsibilities for privacy and security; and
receive regular reports on breaches and IT risks.
Boards should also:
have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).
Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:
(i) identify known cybersecurity risks to the company’s infrastructure;
(ii) develop safeguards to protect the delivery and maintenance of infrastructure services;
(iii) implement methods to detect the occurrence of a cybersecurity event;
(iv) develop methods to respond to a detected cybersecurity event; and
(v) develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.
Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.
Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.
There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.