August 16, 2014

Boards of Directors and Information Security Risks

Directors should take an active role in managing data security risks rather than leaving it up to management and IT staff, according to recent remarks by SEC Commissioner Luis Aguilar.

Commissioner Aguilar recently delivered a speech at the New York Stock Exchange in which he emphasized that cybersecurity has become a “top concern” and pleaded with corporate directors to “take seriously their obligation to make sure that companies are appropriately addressing those risks.”

The Commissioner reported that U.S. companies experienced a 42% increase from 2011 to 2012 in the number of successful cyber-attacks. He also pointed out a number of recent high-profile incidents, including the following:
  • The October 2013 cyber-attack on the software company Adobe in which data from more than 38 million customer accounts was breached;
  • The December 2013 cyber-attack on Target, in which the payment card data of approximately 40 million Target customers and the personal data of up to 70 million Target customers was breached;
  • The January 2014 cyber-attack on Snapchat, a mobile messaging service, in which a reported 4.6 million user names and phone numbers were leaked;
  • The multiple cyber-attacks against several large U.S. banks, in which their public websites have been shut down for hours at a time; and
  • The numerous cyber-attacks on securities exchanges. (According to a 2012 global survey of 46 securities exchanges, 53% reported experiencing a cyber-attack in the previous year.)
Commissioner Aguilar said that cybersecurity has become a "top concern" of American companies over a relatively short period of time. That's good news. But, according to the Commissioner, directors themselves should be involved in addressing cybersecurity risks.

The essence of Commissioner Aguilar's comments related to the board’s role in corporate governance and overseeing risk management. He pointed out that since the financial crisis, there has been an increased focus on how boards address risk management. While acknowledging that primary responsibility for risk management has historically belonged to management, he emphasized that boards are responsible for ensuring that the corporation has established appropriate risk management programs and for overseeing how management implements those programs. Not surprisingly, he mentioned the SEC's 2009 rule change which calls for the public disclosure of the board's role in risk management (usually in a proxy statement).

In addition to the SEC's rule changes, proxy advisory firms appear to be applying pressure to boards to focus on data security risks. A prominent proxy advisory firm has recommended that shareholders vote against the election of most of Target's directors because of their alleged “failure…to ensure appropriate management of [the] risks” resulting in Target’s December 2013 breach.

The result of these influences is encouraging: Boards have begun to assume greater responsibility for overseeing the risk management efforts of their companies, according to evidence cited by the Commissioner. For example, according to a survey of 2013 proxy statements filed by S&P 200 companies, the full boards have almost universally assumed responsibility for the risk oversight of their respective companies.

The Commissioner concluded by expressing his view that "board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues."

You can read the Commissioner's full remarks here.



(c) Matt Cordell 2013

5 comments:

Harry Lee said...

Sameday payout loans are known for promptly offering you cash in the same day without any credit checks. You can borrow the money without any credit checks. Repayment of the loan amount can be made on next payday.

sameday payout loans
£50 loans same day

Harry Lee said...

same day text loans for the people on benefits are provided instantly by sending a SMS to the lender from your mobile phone. You can repay the loan ion a week ion next payday.

same day text loans for the people on benefits
quick text loans for the unemployeds

Harry Lee said...

Short term loan no credit check uk ensure fast cash without credit checks for same day cash. You can shortly pay off the loan.

Short term loan no credit check uk
Short term loan with bad credit

John Samual said...

Hi,

The blog was absolutely fantastic! Lots of great information and inspiration, both of which we all need!b Keep 'em coming... you all do such a great job at such Concepts... can't tell you how much I, for one

appreciate all you do!

Thanks

loans for 30 days
payday loans for 30 days

John Dudley said...

Do you have any immediate project requirements to be handled by skilled manpower or is your existing IT Staff Outsourcing finding it nearly impossible to keep up with the project demand