Luis A. Aguilar, a Commissioner of the Securities and Exchange Commission (“SEC”), spoke at the New York Stock Exchange’s Governance Services department “Cyber Risks and the Boardroom” Conference on June 10, 2014. Aguilar spoke regarding the increasing risks associated with cybersecurity and a board of directors’ responsibility to prevent and manage those risks.
The SEC has increased its focus on cyber-attacks due to the rising number of incidences companies have faced. Between 2011 and 2012, there has been a 42% increase per week in the number of successful attacks on U.S. companies. The increase is costly for companies and creates a lack of confidence in the capital markets system.
Since boards of directors are already responsible for overseeing all types of risks “there can be little doubt that cyber-risk also must be considered as part of board’s overall risk oversight.” Aguilar suggests boards begin to assess their risk by considering the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”), released by the National Institute of Standards and Technology (“NIST”) in February 2014. While the Framework can serve as a valuable guideline, knowledge gaps may still exist if boards “lack the technical expertise necessary to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues.” Boards must then be proactive and employ the appropriate personnel to assist in closing this gap.
While prevention is a significant part of the battle companies must also address the measures they will take “for the inevitable cyber-attack and the resulting fallout.” Some considerations are how and when to respond to attacks and how to prevent further damage and developing a response plan.
There will be several other practical tips and considerations presented during the Core Compliance Learning Center Quarterly Webinar: Cyber Security & Business Continuity Plans – The Technology Controls You Need to Know on August 13th. For further information on this and other related subjects, please contact us at (619) 278-0020 to schedule a consultation.
GENERAL DISCLAIMER: Information contained within this blog does not create a business-client relationship, and none of the content of this blog can be deemed to be consultive business advice