In a recent speech, SEC Commissioner Aguilar made it clear that cybersecurity should be on every corporate director's radar. Aguilar, speaking at an event at the New York Stock Exchange on June 10, 2014, called on corporate boards to play a key role in preparing for and ultimately thwarting cyber-attacks and noted that "ensuring the adequacy of a company's cybersecurity measures needs to be a critical part of a board of director's risk oversight responsibilities."1
During the first half of 2014 the SEC has been focusing heavily on cybersecurity challenges facing US companies. On March 26, the SEC hosted a Cybersecurity Roundtable to inform the marketplace of existing cyber-threats and to consider possible countermeasures.2 Shortly thereafter, the SEC announced its plan to assess marketplace cybersecurity preparedness by conducting examinations of more than 50 registered broker-dealers and investment advisors.3
The SEC's increased focus on cybersecurity is motivated by the rate at which cyber-crime is growing. Cyber terrorists and criminals continue to become more sophisticated and are emboldened by highly publicized successful data breaches. Between 2011 and 2012, the number of cyber-attacks against US companies increased by 42%.4 Between 2009 and 2013, the cost of cyber-crime jumped by 78%.5
In this environment, it is incumbent on companies and their directors to take appropriate steps to safeguard their electronic data and ultimately the interests of their shareholders and customers. Failing to do so could expose directors to individual scrutiny from plaintiffs' lawyers over whether they complied with their fiduciary duties in preventing cyber-attacks. As Commissioner Aguilar warned, the cost of inaction can be considerable:
In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats. Perhaps unsurprisingly, there has recently been a series of derivative lawsuits brought against companies and their officers and directors relating to data breaches resulting from cyber-attacks. Thus, boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.6
The message is clear – cybersecurity should be on every corporate director's radar. If a significant breach occurs, directors will be second-guessed by plaintiffs' lawyers on whether they adequately prioritized cybersecurity matters. So, how does one develop an effective strategy to combat cyber-threats while also keeping potential shareholder plaintiffs at bay? Commissioner Aguilar offered some insight at his June 10 address. He discussed what boards of directors "can, and should, do to ensure that their organizations are appropriately considering and addressing cyber-risks."7 Below is a summary of the key mitigation steps he proposed.8
Steps to mitigate cyber-risk
- Develop a conceptual roadmap for cybersecurity counter-measures. The first step in addressing any new threat is to develop a defense plan. To aid in this effort, Commissioner Aguilar recommended turning to the Framework for Improving Critical Infrastructure Cybersecurity, which was published by the National Institute of Standards and Technology ("NIST") in February 2014.9 This Framework is "a set of industry standards and best practices to help organizations manage cybersecurity risks."10 While the Framework is only "voluntary guidance" at this time, "it will likely become a baseline for best practices by companies."11 Importantly, the Commissioner suggested that the Framework could become the baseline for "assessing legal or regulatory exposure."12
- Acquire the knowledge to implement the conceptual roadmap. Once a high-level strategy plan is in place, a company should tailor its cybersecurity regime to its unique information technology environment. However, corporate board members may lack the "expertise, support, or skills necessary to add oversight of a company's cyber-risk management to their already full agenda."13 To bridge the knowledge gap, a company could begin "mandatory cyber-risk education for [its] directors." Alternatively, the company could "create a separate enterprise risk committee on the board," somewhat akin to the independent risk committees required by the Dodd-Frank Act. Further still, a board could ensure that it is "adequately represented by members with a good understanding of information technology issues that pose risks to the company." While there are several possible solutions, the key is for a board to be "proactive" in selecting and implementing the approach that best fits the company.
- Hire qualified IT personnel and develop a clear chain-of-command. A "proactive" board can only be effective in mitigating cyber-risk if the company has qualified technical personnel to execute the board's cybersecurity directives. Indeed, "devoting full-time personnel to cybersecurity issues may help prevent and mitigate the effects of cyber-attacks."14 Beyond hiring the right people, it is important to have a "clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company's cyber-risk management practices."15 The value of a clear chain-of-command and a senior management position dedicated to cybersecurity was underscored by a 2013 survey which found that companies which employed a full-time chief information security officer "detected more security incidents and reported lower average financial losses per incident."16
There is no "one-size-fits-all" solution to the threat of cyber-crime, and an "ill-thought-out response can be far more damaging than the attack itself."17 As such, "boards should put time and resources into making sure that management has developed a well-constructed and deliberate response plan that is consistent with best practices for a company in the same industry."18 The aforementioned steps laid out by Commissioner Aguilar can be a starting point in that effort.
8 These mitigation steps are Commissioner Aguilar's recommendations, not binding legal requirements.