An alarming recent surge in cyberattack incidences on many of the largest U.S. companies, exposing widespread vulnerabilities to payment card data security, has ushered into corporate boardrooms a new axiom of executive management: cyberrisk. From shareholders and consumers to watchful regulators, public companies face mounting pressure to bolster cybersecurity protocols and incorporate these surfacing threats within their businesses risk management operations.
With a rapidly-evolving threat, corporate executives fear that their businesses could be next. Moreover, whether they can successfully fulfill their own managerial responsibilities without the requisite technological understanding to factor into risk models the reality of cyberattacks has executives recalibrating their management oversight.
A handbook recently published by the National Association of Corporate Directors (NACD) outlines five principles that corporate boards should adhere to in adequately managing cyberrisks. Confronted with a threat characterized by “its complexity and speed of evolution; the potential for significant financial, competitive and reputations damage; and the fact that total protection is an unrealistic objective,” the report concludes, “the economics of cybersecurity still favors attackers.”
The Securities and Exchange Commission (SEC) has in recent months begun turning its attention to cybersecurity regulation. In March, the agency held corporate governance public roundtables looking into how cyber threats may impact capital markets and weighing the possibility of breach disclosure standards for public companies.
The SEC’s newly-formed investor advocate’s office also announced plans to study the landscape of protocols currently in place that protect investors from cyber threats. The study intends to examine efforts by the Financial Industry Regulatory Authority and participant stock exchanges in responding to attacks and will consider whether SEC rulemaking to require new technology standards would be effective.
It was reported in July that the SEC was pursuing a multi-front investigation of recent cyberattack incidences on companies. The study is to examine the internal controls of affected companies for protecting data, how those companies responded to attacks and the extent of breach disclosure to investors.
Speaking before the New York Stock Exchange in early June, SEC Commissioner Luis Aguilar told an audience of boards of directors that the need for cyberrisk oversight at the executive management level “is critical to preventing and effectively responding to successful cyberattacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”
Aguilar called for cyberrisk to become a component of overall risk management oversight for corporate boards. He pointed to lax cybersecurity standards at Target discovered in the aftermath of its data breach incident, which also led to the ousting of many of its top directors.
In his final recommendation, the commissioner advised to board directors that they conform their cybersecurity internal controls to the voluntary guidelines put forth in February by the National Institute of Standards and Technology (NIST). Entitled the Framework for Improving Critical Infrastructure Cybersecurity
, Aguilar insisted that, at the least, these guidelines be used by corporate directors to measure against current internal policies.
“Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks,” Aguilar said.