Cyber-Risk: It's Not Just An IT Issue, It's A Board Issue
On June 10, 2014, U.S. Securities and Exchange Commissioner Luis A. Aguilar spoke at the New York Stock Exchange “Cyber Risks and the Boardroom” Conference. With the high number of recent successful cyber-attacks, Commissioner Aguilar suggests that cyber-risk must be considered a part of a board’s overall risk oversight. It is the board’s responsibility to ensure the adequacy of the company’s cybersecurity measures. Aguilar cites to suggestions for how this can be done, including boards reviewing annual budgets for privacy and IT security programs, assigning roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks. Aguilar encourages companies to conduct regular risk assessments and cites the recently released Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (“NIST”) as the likely standard for best practices in assessing a company’s cybersecurity risks. In short, boards need to be or get educated on cybersecurity risks and be proactive in trying to minimize such risks.
Commissioner Aguilar’s speech can be found at: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946