When Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in managing cyber risks.
On Sept. 22, 2016, Mr. Aguilar presented his current views in a talk titled “The Role of the Boards of Directors and CISOs in Overseeing Cyber-Risks” at the Security Alliance Advisors’ Annual Leadership Summit. A copy of Mr. Aguilar’s presentation is available here. His remarks provide useful guidance to board members and company managers about how to better manage cyber risks.
Mr. Aguilar points out that boards have long managed many types of risks, including credit risk, liquidity risk and operational risk. Cyber risk must become one of the risks that boards manage successfully.
Mr. Aguilar discusses several steps boards can take to close the “gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken.” Those steps include:
Mr. Aguilar also advises CISOs to consider how they can best assist board members. For example:
Mr. Aguilar notes that because “companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of directors’ risk oversight responsibilities.” Mr. Aguilar’s recommendations should help board members and company managers better manage cyber risks.