SEC Commissioner Aguilar recently gave a speech addressing a board’s role in ensuring that management is appropriately addressing a company’s cyber-risks. Commissioner Aguilar stated that effective board oversight “is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.” He reminded boards of their responsibility for risk oversight broadly, stating that given the increasing frequency of cyber-attacks, “ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” Despite the potential damage posed by cybersecurity threats, he cited a survey that indicated that boards are not undertaking a number of key steps in overseeing cybersecurity, including reviewing annual budgets for privacy and IT programs, assigning roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks.
Commissioner Aguilar encouraged boards to consider the February 2014 Framework for Improving Critical Infrastructure Cyber Security, released by the National Institute of Standards and Technology as they assess their company’s cybersecurity program. He asked boards at a minimum to “work with management to assess their corporate policies to ensure how they match-up to the Framework’s guidelines – and whether more may be needed.” In addition, Commissioner Aguilar discussed knowledge gaps on boards regarding cyber issues, listing ways that boards may close that gap including cyber-risk education or adding board members with experience in information technology. He also suggested that risk committees can help boards focus on company-wide risk issues.
Commissioner Aguilar emphasized the importance in planning a response to a cybersecurity breach. He stated, “boards should put time and resources into making sure that management has developed a well-constructed and deliberate response plan that is consistent with best practices for a company in the same industry.” In connection with these plans, he discussed required internal and external disclosure of cyber-attacks, encouraging companies “to go beyond on the impact on the company and to also consider the impact on others.”
The speech is available here.