Is Cybersecurity a Top Priority in Your Boardroom?

Cybersecurity deserves the attention of a company’s top executives, according to the Securities and Exchange Commission’s Luis Aguilar.  Commissioner Aguilar addressed growing data protection concerns during his remarks at the “Cyber Risks and the Boardroom” Conference at the New York Stock Exchange earlier this month.

“Effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets,” Aguilar stated.

As highlighted by the Wall Street Journal, board oversight over cybersecurity has become a hot topic in the wake of the Target Corp. breach. Institutional Shareholder Services (ISS), a leading provider of corporate governance solutions for asset owners, investment managers, and asset service providers, made headlines when it recommended the removal of seven of the company’s ten directors for “failing to provide sufficient risk oversight.” While the directors were ultimately re-elected, the ISS report highlights that board involvement in risk management strategies will receive greater scrutiny going forward.

While Aguilar acknowledged that there is not a “one size fits all” approach to managing data protection and cybersecurity risks, he emphasized that it is imperative to devote time and resources to taking action before a breach occurs.

“Board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues. Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks,” he stated.

Finally, Aguilar emphasized the importance of disclosure, even when it may not be mandated by SEC regulations.

“It is possible that a cyberattack may not have a direct material adverse impact on the company itself, but that loss of customers’ personal and financial data could have devastating effects on the lives of the company’s customers and many Americans,” Aguilar stated. “In such cases, the right thing to do is to give these victims a heads-up so that they can protect themselves.”

If you have any questions about this post or would like to discuss the issues involved, please contact me, Fernando Pinguelo, or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouseWatch (http://ewhwblog.com). You can also check out my newly created Twitter account follow me @cyberpinguelo.