In a recent study conducted by Corporate Board Member & FTI Consulting, Inc., 11,340 corporate directors and 1,957 general counsel were surveyed regarding legal risks on their radar. For the first time in the 12 years since the study has been conducted, data security was noted as the most prevalent concern among both directors (48 percent) and general counsel (55 percent). This level of concern has almost doubled in the last four years. For instance, in 2008, only 25 percent of directors and 23 percent of general counsel identified data security as an area of great concern.
Moreover, 33 percent of general counsel surveyed believe their board is not effective at managing cyber risk. This is one of the lowest ratings among the 13 risk management areas surveyed. When asked whether their company had a plan in place to manage a data breach should one occur, only 42 percent of directors said their company had a formal Incident Response Plan. Twenty-seven percent responded that their company had no such plan and 31 percent were uncertain.
Despite acknowledging such unpreparedness, 77 percent of directors and general counsel still believe their company is prepared to handle a data breach. There is a serious concern, however, given the disconnect between having written response plans and the perception of preparedness. Corporate Board Member President TK Kerstetter addressed this issue noting, “It is going to take several well-publicized security breaches before a supermajority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster.”
Proactive planning for a data breach, including drafting an Incident Response Plan and training employees on the importance of protecting personal information, is critical to minimizing the risks and exposures facing companies today. It may have taken 12 years for data security to top the list of concerns, but board members and general counsel should recognize the privacy and security of personal and confidential business information will always remain a primary threat.