June 10 — Corporate boards must ensure that cybersecurity preparedness is a critical part of their risk oversight responsibilities, Securities and Exchange Commissioner Luis Aguilar said June 10.
Despite the increase in cybersecurity incidents in the U.S. and the collateral consequences for the targeted companies, evidence suggests that many boards still aren't proactively tackling the issue, the SEC commissioner said in a speech at the New York Stock Exchange. Directors “should be asking themselves what they can, and should, be doing to effectively oversee cyber-risk management,” he said.
The SEC commissioner said he was voicing his own views, which didn't necessarily reflect those of the agency or other members.
At a minimum, boards should work with management to see how their corporate polices match up to the National Institute of Standards and Technology's cybersecurity framework, Aguilar said. Boards also should have a “clear understanding” of which personnel at their companies are primarily responsible for cybersecurity risk oversight and for ensuring the adequacy of risk management practices, he said.
Both the SEC and the Financial Industry Regulatory Authority have identified cybersecurity as an examination priority in 2014. The SEC held a roundtable on the matter in late March, and in April, the SEC's Office of Compliance Inspections and Examinations announced an initiative in which it said it would examine more than 50 registered broker-dealers and investment advisers on cybersecurity preparedness.
Aguilar said that even when boards focus their attention on cybersecurity issues, some observers have suggested that the boards may be relying too heavily on “the very personnel who implement those measures.”
In addition to having responsive boards, companies also must have the right personnel to perform effective cybersecurity risk management duties and to report regularly to the board, Aguilar continued. “Companies need to be prepared to respond within hours, if not minutes, of a cyber-event to detect the cyber-event, analyze the event, prevent further damage from being done, and prepare a response,” he said.
Whatever cybersecurity preparedness paths companies take, the ultimate goal of a response plan is to prepare for the inevitable attack and to contain the probable fallout, Aguilar said.
Moreover, companies should think beyond the impact to themselves and consider how others are affected, he added.
“It is possible that a cyber-attack may not have a direct material adverse impact on the company itself, but that a loss of customers' personal and financial data could have devastating effects on the lives of the company's customers and many Americans,” Aguilar said.
Meanwhile, corporate boards may be better able to assess their understanding of cybersecurity risks using tools released last week by the National Association of Corporate Directors (NACD), according to the group's president and CEO, Ken Daly.
NACD, the American International Group and the Internet Security Alliance put together the latest issue in the NACD's Directors' Handbook Series—“Cyber-Risk Oversight”—which provides boards with “practical tools,” including “self-assessment questions” and “guidelines for conversations with management,” Daly said in a June 11 news release announcing the issue.
“Ninety percent of directors participating in our latest governance survey indicated they would like to improve their understanding of cybersecurity risk,” he said.
The publication covers a wide spectrum of board-level considerations related to oversight of cybersecurity, including board composition, liability implications, disclosure issues, access to expertise and risk-appetite calibration, the release said.
Boards should adapt the handbook's recommendations based on their company's unique characteristics, including size, life-cycle stage, business strategy, industry sector, geographic footprint and culture, the release said.
The full text of Aguilar's speech is available at http://op.bna.com/ccw.nsf/r?Open=mmey-9l6lwe.
The NACD news release, along with a link to the Director's Handbook Series, “Cyber-Risk Oversight,” is available at http://www.nacdonline.org/AboutUs/PressRelease.cfm ?ItemNumber=10689.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)