Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 2 — An increasing number of corporate boards of large companies are placing greater emphasis on cybersecurity issues, with the financial services sector experiencing particularly high rates of engagement, according to a report released Oct. 2.
Fully 63 percent of boards of Fortune Global 2000 companies are actively addressing issues involving computer and information security, an increase from 33 percent reported in 2012, according to the survey report released at a Financial Services Roundtable conference in Washington.
The financial services industry demonstrated significant improvements to its cybersecurity policies and procedures, the report said. For instance, 64 percent of financial sector corporate boards considered cybersecurity issues when reviewing third-party supplier relationships, an increase from 38 percent in 2012, the report said, and 100 percent of industry survey respondents said their firms currency employ a chief risk officer.
Still, companies within all sectors can improve on their cybersecurity regimes, specialists at the event said.
Kimberly Kiefer Peretti, a partner and cybersecurity specialist at Alston & Bird LLP, in Washington, told the event that although she is increasingly working with boards that take cybersecurity seriously, it is still the case that many of her engagements begin only after a breach occurs and not beforehand when adequate planning could limit the severity of a breach.
An essential element of any cybersecurity program is the development of a response plan that clearly explains its purpose to all employees and has been tested for effectiveness, the report said. Plans should be fully understood, endorsed and implemented by senior management, speakers at the event said.
Disaster can occur when senior executives are uncertain about how to respond to a breach, Georgia Institute of Technology professor and report author Jody Westby said.
She labeled the managerial response to a cyberattack on Target Corp. disclosed by the company in December, 2013, as “a classic textbook case, I think for years to come, of how not to manage a breach.”
The board wasn't prepared to respond to a breach, and actions it did take—the chief executive officer firing the company's chief information officer, for instance—may have made a bad situation even worse because it could have inhibited information sharing needed for an effective breach recovery, she said.
An important organizational shift picked up by the survey is that many boards have established separate risk committees to oversee cybersecurity issues; prior to that change cybersecurity issues were largely handled by audit committees.
Another shift is that instead of focusing on isolated components of a cybersecurity program, such as penetration testing, boards are conducting more comprehensive risk assessments. Many times the assessments are made more robust by engaging external, independent specialists for risk-management assistance, the report said.
A primary element of any corporate plan to combat cyberattacks should be a commitment by senior management to regularly and deliberately remind an organization of the importance of combating cyberattacks and continually scrutinizing resilience tactics, speakers said.
• conduct annual audits of a company's enterprise cybersecurity program, as the cyberattack landscape can change suddenly;
• require regular status reports from senior management regarding a firm's cybersecurity program, remediation activities and recent incidents;
• ensure incident response plans are carefully considered and can address a multi-pronged attack aimed at exfiltrating intellectual property, e-mail and other personnel communication, human resources data, and other corporate assets;
• review the adequacy of corporate cyber insurance coverage; and
• ensure that privacy and security roles are separate and that responsibilities are appropriately assigned.
Weak areas of cybersecurity governance mentioned by survey respondents involved a lack of board engagement in reviewing cybersecurity budgets and assigning roles and responsibilities for key privacy and security personnel. Reporting structures should be adjusted so that senior cybersecurity officials report directly to the company's chief executive: in 2015 about 40 percent of respondents indicated their companies' chief security officer reported to a chief information officer, not a chief executive officer.
The report is based on survey results received from 121 respondents at the board or senior executive level at 1,927 Forbes Global 2000 companies. A total of 34 percent of respondents were chief executive officers, 12 percent were board chairmen and 46 percent were chief financial officers.
To contact the reporter on this story: Stephen Joyce in New York at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
The report, “Governance of Cybersecurity: 2015 Report,” is available at http://fsroundtable.org/governance-of-cybersecurity-2015-report/.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)