In a June 10, 2014 speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” delivered at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar highlighted the critical importance of the involvement of boards of directors in cybersecurity oversight. In his speech, Aguilar stressed that “ensuring the adequacy of a company’s cybersecurity measures needs to be a part of a board of director’s risk oversight responsibilities.” He added the warning that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril.”
Aguilar opened his speech by highlighting the extent of the risks associated with cybersecurity. He emphasized the “widespread and severe impact that cyber-attacks could have on the integrity of the capital markets, infrastructure and on public companies and investors.” In light of these risks, Aguilar said that “effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting the company and their consumers, as well as protecting investors and the integrity of the capital markets.”
In discussing what boards can and should be doing on cybersecurity issues, Aguilar said that the place for boards to begin in assessing their company’s cybersecurity readiness is the National Institute of Standards and Technology’s February 2014 report entitled the “Framework for Improving Critical Infrastructure Cybersecurity” , which he said is “likely to become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.”
The Target breach is the largest breach on record with costs of over $60M of which $40M was insured. The result impacted the earnings of Target and resulted in lawsuits being filed against the Directors & Officers for mismanagement.
The Cyber issue is here and needs to be addressed if you handle or store private personal information. Transferring part of the risk to an insurance policy is a good initial step to managing the concern.