Financial Company Boards Leading Cybersecurity Plans

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Joyce

Oct. 2 — An increasing number of corporate boards of large companies are placing greater emphasis on cybersecurity issues, with the financial services sector experiencing particularly high rates of engagement, according to a report released Oct. 2.

Fully 63 percent of boards of Fortune Global 2000 companies are actively addressing issues involving computer and information security, an increase from 33 percent reported in 2012, according to the survey report released at a Financial Services Roundtable conference in Washington.

The financial services industry demonstrated significant improvements to its cybersecurity policies and procedures, the report said. For instance, 64 percent of financial sector corporate boards considered cybersecurity issues when reviewing third-party supplier relationships, an increase from 38 percent in 2012, the report said, and 100 percent of industry survey respondents said their firms currency employ a chief risk officer.

Still, companies within all sectors can improve on their cybersecurity regimes, specialists at the event said.

Kimberly Kiefer Peretti, a partner and cybersecurity specialist at Alston & Bird LLP, in Washington, told the event that although she is increasingly working with boards that take cybersecurity seriously, it is still the case that many of her engagements begin only after a breach occurs and not beforehand when adequate planning could limit the severity of a breach.

What Not to Do

An essential element of any cybersecurity program is the development of a response plan that clearly explains its purpose to all employees and has been tested for effectiveness, the report said. Plans should be fully understood, endorsed and implemented by senior management, speakers at the event said.

Disaster can occur when senior executives are uncertain about how to respond to a breach, Georgia Institute of Technology professor and report author Jody Westby said.

She labeled the managerial response to a cyberattack on Target Corp. disclosed by the company in December, 2013, as “a classic textbook case, I think for years to come, of how not to manage a breach.”

The board wasn't prepared to respond to a breach, and actions it did take—the chief executive officer firing the company's chief information officer, for instance—may have made a bad situation even worse because it could have inhibited information sharing needed for an effective breach recovery, she said.

An important organizational shift picked up by the survey is that many boards have established separate risk committees to oversee cybersecurity issues; prior to that change cybersecurity issues were largely handled by audit committees.

Another shift is that instead of focusing on isolated components of a cybersecurity program, such as penetration testing, boards are conducting more comprehensive risk assessments. Many times the assessments are made more robust by engaging external, independent specialists for risk-management assistance, the report said.

Engagement Recommendations 

A primary element of any corporate plan to combat cyberattacks should be a commitment by senior management to regularly and deliberately remind an organization of the importance of combating cyberattacks and continually scrutinizing resilience tactics, speakers said.

The report recommend that boards:

• conduct annual audits of a company's enterprise cybersecurity program, as the cyberattack landscape can change suddenly;

• require regular status reports from senior management regarding a firm's cybersecurity program, remediation activities and recent incidents;

• ensure incident response plans are carefully considered and can address a multi-pronged attack aimed at exfiltrating intellectual property, e-mail and other personnel communication, human resources data, and other corporate assets;

• review the adequacy of corporate cyber insurance coverage; and

• ensure that privacy and security roles are separate and that responsibilities are appropriately assigned.

 

Weak areas of cybersecurity governance mentioned by survey respondents involved a lack of board engagement in reviewing cybersecurity budgets and assigning roles and responsibilities for key privacy and security personnel. Reporting structures should be adjusted so that senior cybersecurity officials report directly to the company's chief executive: in 2015 about 40 percent of respondents indicated their companies' chief security officer reported to a chief information officer, not a chief executive officer.

The report is based on survey results received from 121 respondents at the board or senior executive level at 1,927 Forbes Global 2000 companies. A total of 34 percent of respondents were chief executive officers, 12 percent were board chairmen and 46 percent were chief financial officers.

To contact the reporter on this story: Stephen Joyce in New York at sjoyce@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

The report, “Governance of Cybersecurity: 2015 Report,” is available at http://fsroundtable.org/governance-of-cybersecurity-2015-report/.