In a June 10, 2014 speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” delivered at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar highlighted the critical importance of the involvement of boards of directors in cybersecurity oversight. In his speech, Aguilar stressed that “ensuring the adequacy of a company’s cybersecurity measures needs to be a part of a board of director’s risk oversight responsibilities.” He added the warning that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril.” A copy of Aguilar’s speech can be found here.
Aguilar opened his speech by highlighting the extent of the risks associated with cybersecurity. He emphasized the “widespread and severe impact that cyber-attacks could have on the integrity of the capital markets, infrastructure and on public companies and investors.” In light of these risks, Aguilar said that “effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting the company and their consumers, as well as protecting investors and the integrity of the capital markets.”
Aguilar noted that risk management oversight is an increasingly important board role, adding that “there can be little doubt that cybersecurity also must be considered as part of the board’s overall risk oversight. “ Aguilar specifically referenced the recent effort by proxy advisory firm ISS to oust many directors of Target Corporation for allegedly lax cybersecurity oversight, which, he said, “should put directors on notice to proactively address the risks associated with cyber-attacks.” (It should be noted, however, that at the June 11, 2014 Target Corp. annual meeting all board members were re-elected.)
Aguilar emphasized that the threats of a cyber-attack include not only the risk of business disruption and reputational harm but also for directors “the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats.” He noted that –“perhaps unsurprisingly” – Target and Wyndham have each recently been hit with shareholder lawsuits relating to those companies’ data breaches, commenting that “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”
In discussing what boards can and should be doing on cybersecurity issues, Aguilar said that the place for boards to begin in assessing their company’s cybersecurity readiness is the National Institute of Standards and Technology’s February 2014 report entitled the “Framework for Improving Critical Infrastructure Cybersecurity” (here), which he said is “likely to become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.”
In order to translate the concepts in the NIST’s Framework into action, boards need to take steps to address the knowledge gap that often exists at the board level on cybersecurity issues. Aguilar recommends that boards create a separate enterprise risk committee at the board level in order to ensure that there is sufficient focus at the board level on the adequacy of resources and overall support provided to company executives responsible for risk management. Boards should also develop “a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices.”
The key, according to Aguilar, is to ensure that the company is appropriately prepared to respond in the event of a cyber-attack. Boards, he said, “should put time and resources into making sure that management has developed a well-constructed and deliberate plan” for responding to a data breach or other cyber incident. The plan should include, among other things, a framework for determining “whether and how the cyber-attack will need to be disclose internally and externally.” He added a suggestion that in undertaking this disclosure the company should go beyond the impact on the company and consider the impact on others, including consumers or other groups.
Aguilar closed his speech by emphasizing that “given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing [cybersecurity] risks.”
Aguilar’s speech represents yet another confirmation that cybersecurity is a board level issue. He also emphasized that board failure to address these issues represents a liability exposure for directors. While he referred only to the efforts of shareholders to hold board members accountable through litigation, the fact is that – as his speech itself underscores – cybersecurity is an increasingly important issue to the SEC. It is not too much to say that a message implicit in his speech is that the Commission itself may hold boards accountable for their responsibilities as well. At a minimum, Aguilar’s speech underscores that cybersecurity is an issue on which the Commission is focused and about which the Commission is concerned.