Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

The Need for Corporate Boards to Oversee Cyber Security Risks


The Need for Corporate Boards to Oversee Cyber Security RisksTarget’s Cyber Security Breach Puts Greater Focus on Role of Directors & Officers

In a prepared statement Tuesday, June 10th, at an event at the New York Stock Exchange, SEC Commissioner Luis Aguilar called on corporate boards to ensure they’re taking the necessary steps to address and oversee their companies’ cyber security risks. Ensuring the adequacy of a firm’s cyber security measures “needs to be a critical part of a board of directors’ risk oversight responsibilities,” said Commissioner Aguilar.

The role of board oversight in cyber security came into sharp focus in May when a prominent proxy adviser urged the departure of seven of Target Corp.’s 10 directors for failing to protect the retailer from a high-profile data breach that compromised 40 million credit cards. According to the Wall Street Journal, the recommendation focused on directors on the board’s audit and corporate responsibility committees, which are often tasked with overseeing risk management. At the time, a corporate governance consultant told the Journal that the move raised “a red flag about risk oversight that is a growing issue for boards.” The risk of cyber attacks can directly affect both operations and the broader brand or reputation of a company, often resulting in significant financial repercussions, as evident in the Target breach that occurred in November-December last year.

The Commissioner along with others acknowledge that there isn’t a one-size-fits-all approach to preparing for cyber attacks, but it’s essential that boards put time and resources into making sure there is a deliberate response plan consistent with best practices for companies in the same industry. “It is possible that a cyber attack may not have a direct material adverse impact on the company itself, but that loss of customers’ personal and financial data could have devastating effects on the lives of the company’s customers and many Americans,” Aguilar said. “In such cases, the right thing to do is to give these victims a heads-up so that they can protect themselves.”

In fact, we discussed this very thing in our previous blog article, which addressed data breach notification and the various state laws that exist. The key is to have a plan that addresses disclosure internally and externally to both customers and investors and to ensure that the company follows the rules of each state.

In addition, in undertaking key oversight activities related to cyber risks, boards should be reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks.

In a paper on Risk Intelligence and Cyber Threats released by Deloitte, certain recommendations were made regarding a board’s role in cyber security:

  • Boards should proactively ask questions of management, champion education and awareness programs company-wide and treat risk as a priority.
  • Boards should hear from the chief information officer, chief technology officer or others who are tasked with monitoring cyber risks.
  • Boards should consider engaging third-party specialists to speak with them about the risk, how to mitigate it and signs that may signal a breach.
  • The full board should take the necessary actions to stay informed on management’s risk practices so it can effectively oversee cyber security.

With cyber security a significant top-of-mind challenge, boards and their directors must become preemptive in evaluating their risk exposure as an enterprise-wide risk management issue and not limiting it to an IT concern. Part of this is making sure that the right Cyber Liability insurance is secured and customized to the company’s needs to respond in the event of a data breach. The professionals at Axis Insurance Services can help you with your Privacy and Network Security needs. We specialize in Cyber Liability insurance, placing customized coverage for a broad range of industries. For more information, please call us at: (877) 787-5258.

Sources: Wall Street Journal, Deloitte

Comments

comments

Blogged on: June 17, 2014 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions