Data breaches have increased dramatically. In fact, according to a 2014 Internet security threat report published by Symantec, data breaches increased in 2013 by 62 percent. Therefore, it is not surprising that the Securities and Exchange (SEC) Commissioner, Luis A. Aguilar, recently addressed what boards of directors can, and should do, to ensure that their organizations are addressing cyber risks. Aguilar detailed the alarming rate at which companies are experiencing cybersecurity issues at a recent “Cyber Risk and Boardroom” conference.
Based upon increased cyber risk, Commissioner Aguilar stated that the SEC is focused on ensuring that companies are taking appropriate steps to limit that risk. On March 26, 2014, Commissioner Aguilar organized a roundtable to discuss cyber risks facing public companies and critical market participants like exchanges, broker-dealers, and transfer agents. In addition, the SEC’s National Exam Program has included cybersecurity among its areas of focus in its National Examination Priorities for 2014. It also was recently announced that SEC examiners will review whether asset managers have policies to prevent and detect cyberattacks and are properly safeguarding against security risks that could arise from vendors having access to their systems. Financial Industry Regulatory Authority (FINRA) also identified cybersecurity as one of its examination priorities for 2014.
Background on the role of boards of directors and risk management
Commissioner Aguilar began by highlighting the broad duties for which a board of directors is responsible. Specifically, that a board of directors has a tremendous responsibility to the owners—the shareholders—to ensure the board is properly representing the owners’ interests. As such, boards of directors must be held accountable for their decisions.
Though boards of directors have always been tasked with overseeing multiple aspects of management’s activities, the financial crisis that devastated shareholders has resulted in a focus on what boards of directors are doing to address risk management. At that time, the SEC also determined that boards are responsible for overseeing that the corporation has established appropriate risk management programs and for overseeing how management implements those programs. The SEC’s oversight agenda was highlighted in 2009 when the SEC amended its rules to require disclosure about, among other things, the board’s role in risk oversight, including a description of whether and how the board administers its oversight function, such as through the whole board, a separate risk committee, or an audit committee. The SEC has made it very clear that boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Those risk management protocols include cyber risk.
What boards of directors can and should be doing to oversee cyber risk
Prior to issuing a warning to boards of directors that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, Commissioner Aguilar noted the very real danger of cyber risk to companies. Specifically, Commissioner Aguilar noted the “significant cyberattacks that are occurring with disturbing frequency,” the “constant threat of potentially disastrous cyberattacks,” the “threat of business disruptions, substantial response costs, negative publicity, and lasting reputational harm,” and the “threat of litigation,” including shareholder derivative lawsuits, “and potential liability for failing to implement adequate steps to protect the company from cyber threats.”
Setting up the NIST framework
In light of the enormous threat of cyberattacks that grows each day, Commissioner Aguilar provided some guidance as to steps that boards of directors should employ to adequately defend and properly oversee management. First, a board of directors should review and employ the conceptual roadmap released by the National Institute of Standards and Technology (NIST), entitled “Framework for Improving Critical Infrastructure Cybersecurity.” This NIST framework is intended to provide companies with a set of industry standards and best practices for managing their cybersecurity risks. Companies that have not installed the NIST framework because it is “voluntary” should reconsider. Indeed, Commissioner Aguilar stated that commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure for insurance purposes. Please see our blog post for more information on the NIST framework.
Restructuring the board to facilitate cyber risk management
Though conceptually valuable, the NIST framework is useless if the company cannot install it to reap the benefits. Thus, the second goal highlighted by Commissioner Aguilar is to implement structural changes to the board to incorporate cyber risk management. To achieve such restructuring, boards have taken mandatory courses on cyber risk. Others have suggested that boards be at least adequately represented by members with a sound understanding of information technology issues. Still others have created a separate enterprise risk committee on the board.
If a board has not been restructured or reconstituted to curb cybersecurity risk, then Commissioner Aguilar considers those boards to be well behind. Research suggests that 48 percent of corporations currently have board-level risk committees that are responsible for privacy and security tasks, which represents a dramatic increase from the eight percent that reported having such a committee in 2008. Commissioner Aguilar commended companies that have changed with the times and installed some type of cybersecurity governance, but the commissioner also stated that such implementation is not a per se defense.
Defining roles of those responsible for cyber risk management
Commissioner Aguilar stated that boards should have clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber risk management practices. Commissioner Aguilar’s guidance is not unsupported. A 2013 survey found that the companies that detected more security incidents and reported lower average financial losses per incident shared key attributes, including that they employed a full-time chief information security officer (or equivalent) who reported directly to senior management.
The question is not if, but when a cyberattack will occur at an organization. Thus, the universally most important distinction between companies that sink or swim after a cybersecurity attack occurs is whether the company—starting with the board of directors and funneling down—had a security breach plan in place prior to the incident. Companies need to be prepared to respond within hours, if not minutes, of a cyber event to detect the event, analyze the event, prevent further damage, and prepare a response to the event. Those tasks must be well-thought-out to the point where the company is ready to break the proverbial glass to retrieve the manual so that implementation can begin immediately.
Boards of directors must educate themselves about their organization’s data privacy and cybersecurity risks and make it an integral part of their ongoing duties. Here are some steps which boards can take to minimize the risk of data breaches:
- Review the organization's incident response plan and ensure that it is regularly reviewed and implemented
- Participate in training and breach response workshops for the incident response team
- Allocate appropriate funds in the budget for data privacy and cybersecurity proactive measures and breach responses
- Ensure that the board is properly informed of relative data privacy risks and breaches
- Assign responsibility for data privacy and cybersecurity to the organization’s c-level executives
- Select a board member to be responsible for the organization’s data privacy and cybersecurity risk assessment
With the onset of cyber risk management, the tasks levied on a board of directors have increased in a uniquely dramatic way. What makes these new, additional duties even more cumbersome is that cyber risk is at the forefront of the general public’s concerns. The SEC has recognized this fear and has publicly warned companies that compliance is a must. Though a cyberattack is inevitable, it can be contained and limited if boards of directors plan now. Planning at the time a breach occurs is planning to fail. As evidenced by data breaches in the past, money is far better spent before a breach occurs to temper the damage than on the back end trying to put out an uncontrollable blaze.
For more information, please contact one of the attorneys listed below.