SEC's Aguilar Urges Boards To Focus on Cyber-Risk Management

June 10 — Corporate boards must ensure that cybersecurity preparedness is a critical part of their risk oversight responsibilities, Securities and Exchange Commissioner Luis Aguilar said June 10.  

Despite the increase in cybersecurity incidents in the U.S. and the collateral consequences for the targeted companies, evidence suggests that many boards still aren't proactively tackling the issue, the SEC commissioner said in a speech at the New York Stock Exchange. Directors “should be asking themselves what they can, and should, be doing to effectively oversee cyber-risk management,” he said.

The SEC commissioner said he was voicing his own views, which didn't necessarily reflect those of the agency or other members.

Work With Management

At a minimum, boards should work with management to see how their corporate polices match up to the National Institute of Standards and Technology's cybersecurity framework, Aguilar said. Boards also should have a “clear understanding” of which personnel at their companies are primarily responsible for cybersecurity risk oversight and for ensuring the adequacy of risk management practices, he said.

Both the SEC and the Financial Industry Regulatory Authority have identified cybersecurity as an examination priority in 2014. The SEC held a roundtable on the matter in late March, and in April, the SEC's Office of Compliance Inspections and Examinations announced an initiative in which it said it would examine more than 50 registered broker-dealers and investment advisers on cybersecurity preparedness.

The Right Personnel

Aguilar said that even when boards focus their attention on cybersecurity issues, some observers have suggested that the boards may be relying too heavily on “the very personnel who implement those measures.”

In addition to having responsive boards, companies also must have the right personnel to perform effective cybersecurity risk management duties and to report regularly to the board, Aguilar continued. “Companies need to be prepared to respond within hours, if not minutes, of a cyber-event to detect the cyber-event, analyze the event, prevent further damage from being done, and prepare a response,” he said.

Whatever cybersecurity preparedness paths companies take, the ultimate goal of a response plan is to prepare for the inevitable attack and to contain the probable fallout, Aguilar said.

Moreover, companies should think beyond the impact to themselves and consider how others are affected, he added.

“It is possible that a cyber-attack may not have a direct material adverse impact on the company itself, but that a loss of customers' personal and financial data could have devastating effects on the lives of the company's customers and many Americans,” Aguilar said.

NACD Guide

Meanwhile, corporate boards may be better able to assess their understanding of cybersecurity risks using tools released last week by the National Association of Corporate Directors (NACD), according to the group's president and CEO, Ken Daly.

NACD, the American International Group and the Internet Security Alliance put together the latest issue in the NACD's Directors' Handbook Series—“Cyber-Risk Oversight”—which provides boards with “practical tools,” including “self-assessment questions” and “guidelines for conversations with management,” Daly said in a June 11 news release announcing the issue.

“Ninety percent of directors participating in our latest governance survey indicated they would like to improve their understanding of cybersecurity risk,” he said.

The publication covers a wide spectrum of board-level considerations related to oversight of cybersecurity, including board composition, liability implications, disclosure issues, access to expertise and risk-appetite calibration, the release said.

Boards should adapt the handbook's recommendations based on their company's unique characteristics, including size, life-cycle stage, business strategy, industry sector, geographic footprint and culture, the release said.

The full text of Aguilar's speech is available at

The NACD news release, along with a link to the Director's Handbook Series, “Cyber-Risk Oversight,” is available at ?ItemNumber=10689.