No More Excuses!All Posts
CEOs and Boards of Directors Need to Take Ownership of Cyber Security Issues
Executive management and boards are finding they must take a much more involved role when it comes to cyber attack issues. The reality is that cyber attacks are growing at an alarming pace with attack tactics changing faster than security teams can adapt to them. It is no longer a question of if a company will be targeted, but when - with many companies already breached and they just don’t know it. Cybersecurity is no longer just an IT issue, but a risk-management issue that must have board and C-suite oversight.
According to the Ponemon Institute report, The Importance of Senior Executive Involvement in Breach Response 2014, only 43% of CEOs have been trained on what to do after a data breach and only 45% think they are accountable. While it is accepted that executive level directors and the C-suite have a fiduciary duty to protect the assets of their organizations, they need to also understand that with the dependency of organizations on information technology systems and global networks, this also extends to digital assets and has been expanded by laws and regulations that enforce privacy and cybersecurity requirements on companies. The 1996 Delaware Caremark Derivative Litigation case set forth important case law regarding a board’s duty to ensure it has adequate information flows on risks. So it follows that boards need to ensure they have adequate information flows and reporting on IT and cyber risks.
Due to the sophistication of today’s cyber assaults, breached companies risk not only financial and customer data, but also damage to their network and IT infrastructure, intellectual property, and reputation. All of which result in spiraling customer loyalty, as the financial impact on victims is larger than in the past. In addition, the Ponemon Institute’s report “2015 Cost of Cyber Crime Study: United States” found the average annual cost of cyber crime continues to grow every year at $15 million in 2015 for the U.S. alone and it took on average 46 days to resolve a cyberattack.
The IT Governance Institute (ITGI) states that:
IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.
It used to be CEOs would never lose their jobs over a security breach. Then came Sony, Target, and Anthem. Now a CEO can miss his or her quarterly numbers a few times and keep their jobs; allow a major security breach on their watch, and they not only lose their job, but their career. It is therefore critical that corporate directors get involved in assessing the risk, improving their companies’ cyber security and managing the consequences of a security breach.
Several significant announcements came at the end of 2015 that further impact the need for board and C-suite involvement in cybersecurity:
1. The SEC has changed its position on cybersecurity risk, regarding it as not just a risk to data, but to the markets themselves.
In addition, the SEC has provided a list of information the Office of Compliance Inspections and Examinations (OCIE) may review in conducting examinations of registered entities regarding cybersecurity matters. The list includes the following:
- Firm policies and procedures related to 1) Protection of broker-dealer customer and/or investment adviser client records and information and 2) Patch management practices.
- Board minutes and briefing materials regarding cyber-related risks; cybersecurity incident response planning; actual cybersecurity incidents; and cybersecurity-related matters involving vendors.
- Information regarding the firm’s Chief Information Security Officer (CISO).
- Information regarding the firm’s organizational structure, particularly regarding positions and departments responsible for cybersecurity-related matters.
2. Insurance companies, to include Lloyd’s of London, are scrutinizing cyber risk much more closely and pricing according to how companies are set up to deal with it.
3. Moody’s Investors Service announced the threat of cyber risk is of growing importance to credit analysis. According to Jim Hempstead, Moody’s Associate Managing Director, “More cyber security expertise is being added to boards and trustee governance.”
Although these announcements mostly relate to publicly traded corporations, private companies could soon be affected as well as they hedge their own risk. Based on the above, the logical conclusion for cybersecurity in 2016 will be to take a more important role in business planning and strategy – and executive management and boards need to be prepared for it.
The responsibility of the C-suite and board of directors is to protect shareholder interests. Cyber security breaches threaten those interests today as never before. Fortunately, there are practical steps and best practices that directors can implement to ensure they fulfill their responsibilities to protect their companies and their shareholders.