Boards Need Better Data on Cybersecurity
The rise of high profile cybersecurity breaches last year is impacting companies at the board level, too.
“The overwhelming number of cybercrime incidents has forced boards to become more educated about the topic and ask strategic and thoughtful questions directed toward management and internal audit,” says a report from the Institute of Internal Auditors Research Foundation.
By mid-2014, some 1,517 publicly traded companies in security filings had used the words “cybersecurity,” “hacking,” “hackers,” “cyberattacks” or “data breach” as a type of business risk, according to the Wall Street Journal. That was up from 1,288 in all of 2013 and 879 in 2012, the Journal reported.
Despite the critical need for information surrounding cybersecurity, a majority of board members say they are dissatisfied with the amount of information management provides them on the issue, according to a survey on public company governance from the National Association of Corporate Directors (NACD). And of the information on cybersecurity and IT risks they do receive, 36 percent of board members weren’t satisfied with the quality.
“The indicated lack of information regarding cyber risks may pose a problem even for directors knowledgeable about cyber issues,” the NACD report said. “Although most respondents indicated that they had at least some knowledge regarding cybersecurity risks, many felt they could still improve their understanding.”
NACD, in conjunction with the American International Group and the Internet Security Alliance, recommend five principles for all corporate boards “as they seek to enhance their oversight of cyber risks.” Those principles are:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.