“Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.” SEC Commissioner Luis A. Aguilar, June 10, 2014.1
Cybersecurity has become a risky business and boards need to be prepared. At least 3,000 U.S. companies were the victim of some kind of hack last year, and the annual cost of cyber-crime to the global economy is estimated to exceed $445 billion.2 In the wake of prominent breaches, the CEO and CIO of Target resigned, boards of directors of Target and Wyndham Hotels were sued for breach of fiduciary duty, and Institutional Shareholder Services Inc. (ISS) openly campaigned against members of Target’s audit and corporate responsibility committees because “these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information.”
These tangible consequences for boards and management are a response to growing awareness of critical risk. As the National Institute of Standards and Technology (NIST) noted, “The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.”
2014 Regulatory Developments
In February 2014, NIST issued its first Framework for Improving Critical Infrastructure Cybersecurity. The framework provides companies with standards and best practices for managing cyber risks, establishing a common vocabulary for discussions between businesspeople and technical specialists. It offers an incremental approach to cyber risk management and enables companies to flexibly address risk.
Although the NIST framework is voluntary, regulators appear to be tacitly adopting the NIST framework as a guide to evaluating companies. In April 2014, the SEC’s Office of Compliance, Inspections and Examinations (OCIE) announced a cybersecurity audit in which it reviewed cyber practices of more than 50 broker-dealers and investment advisors. Despite being only directed to broker-dealers and investment advisors, the seven-page list of cybersecurity questions provides a guide to companies in any industry of the focus of regulators in assessing cybersecurity readiness.
In November, the SEC unanimously adopted Regulation SCI (Systems Compliance and Integrity) to govern the technology infrastructure of the United States’ securities exchanges and certain other trading platforms and market participants. The new rules are designed to minimize disruptions to markets and enhance the capability of exchanges and trading platforms to respond to, and remedy, breakdowns in their systems. The rules are the first updates in more than two decades to the technological standards governing exchange-based automated trading systems. The SEC has signaled that it may expand the scope of Regulation SCI to include other key market participants in the future.
Industries also continued to self-regulate. The retail and oil and gas industries established the Information Sharing and Analysis Centers (ISAC) to aggregate analyze and distribute information regarding threats to their respective industries. The Federal Financial Institutions Examination Council established a site to outline cybersecurity guidance and indicated that member agencies (including the Federal Reserve, the FDIC and the OCC) will begin incorporating cybersecurity assessments into the examination process by the end of the year. The Department of Justice and the Federal Trade Commission issued a joint statement that officially encouraged companies, including direct competitors, to share cyber threat information with one another, emphasizing that “properly designed sharing of cyber threat information should not raise antitrust concerns.”
Key Risk Management Considerations
Boards should place cybersecurity near the top of any enterprise risk management program. The following are questions that boards should be asking:
- Governance. Has the board established a cybersecurity review committee and determined clear lines of reporting and responsibility for cyber issues?
- Critical Asset Review. Has the company identified what its highest cyber risk assets are (e.g., IP, personal information, trade secrets, mechanical controls on equipment, etc.)? Are sufficient resources allocated to protect these assets?
- Threat assessment. What is the daily/weekly/monthly threat report for the company? What are the current gaps and how are they being resolved?
- Incident Response Preparedness. Does the company have an incident response plan and has it been tested in the past six months? Has the company established contracts via outside counsel with forensic investigators in the event of a breach to facilitate quick response and privilege protection?
- Employee Training. What training is provided to employees to help them identify common risk areas for cyber threat?
- Third-Party Management. What are the company’s practices with respect to third parties? What are the procedures for issuing credentials? Are access rights limited and backdoors to key data entry points restricted? Has the company conducted cyber due diligence for any acquired companies? Do the third-party contracts contain proper data breach notification, audit rights, indemnification and other provisions?
- Insurance. Does the company have specific cyber insurance and does it have sufficient limits and coverage?
- Risk Disclosure. Has the company updated its cyber risk disclosures in SEC filings or other investor disclosures to reflect key incidents and specific risks?
Cybersecurity is no longer solely an IT issue. The board must do more than simply review the IT budget annually and trust the IT department to self-regulate. The SEC and other government agencies have made clear that it is their expectation that boards actively manage cyber risk at an enterprise level. Given the complexity of the cybersecurity inquiry, boards should seriously consider conducting an annual third-party risk assessment to review current practices and risks.
This post was excerpted from our annual Top 10 Topics for Directors in 2015 alert. To read the full alert, please click here
1 Speech by SEC Commissioner Luis A. Aguilar, “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” (June 10, 2014).
2 Adam J. Epstein, “Thinking Strategically About Cyber Risk,” NACD Directorship (Sept./Oct. 2014), p. 32-34, citing a study by the Center for Strategic and International Studies, June 2014.