Saturday, August 16, 2014

Directors Should Be Paying Attention to Data Security Practices

Directors should take an active role in managing data security risks rather than leaving it up to management and IT staff, according to recent remarks by SEC Commissioner Luis Aguilar.

Commissioner Aguilar recently delivered a speech at the New York Stock Exchange in which he emphasized that cybersecurity has become a “top concern” and pleaded with corporate directors to “take seriously their obligation to make sure that companies are appropriately addressing those risks.”

The Commissioner reported that U.S. companies experienced a 42% increase from 2011 to 2012 in the number of successful cyber-attacks.  He also pointed out a number of recent high-profile incidents, including the following:
  • The October 2013 cyber-attack on the software company Adobe in which data from more than 38 million customer accounts was breached;
  • The December 2013 cyber-attack on Target, in which the payment card data of approximately 40 million Target customers and the personal data of up to 70 million Target customers was breached;
  • The January 2014 cyber-attack on Snapchat, a mobile messaging service, in which a reported 4.6 million user names and phone numbers were leaked;
  • The multiple cyber-attacks against several large U.S. banks, in which their public websites have been shut down for hours at a time; and
  • The numerous cyber-attacks on securities exchanges. (According to a 2012 global survey of 46 securities exchanges, 53% reported experiencing a cyber-attack in the previous year.)
Commissioner Aguilar said that cybersecurity has become a "top concern" of American companies over a relatively short period of time.  That's good news.  But, according to the Commissioner, directors themselves should be involved in addressing cybersecurity risks.

The essence of Commissioner Aguilar's comments related to the board’s role in corporate governance and overseeing risk management.   He pointed out that since the financial crisis, there has been an increased focus on how boards address risk management.  While acknowledging that primary responsibility for risk management has historically belonged to management, he emphasized that boards are responsible for ensuring that the corporation has established appropriate risk management programs and for overseeing how management implements those programs.  Not surprisingly, he mentioned the SEC's 2009 rule change which calls for the public disclosure of the board's role in risk management (usually in a proxy statement).

In addition to the SEC's rule changes, proxy advisory firms appear to be applying pressure to boards to focus on data security risks.  A prominent proxy advisory firm has recommended that shareholders vote against the election of most of Target's directors because of their alleged “failure…to ensure appropriate management of [the] risks” resulting in Target’s December 2013 breach.

The result of these influences is encouraging: Boards have begun to assume greater responsibility for overseeing the risk management efforts of their companies, according to evidence cited by the Commissioner.  For example, according to a survey of 2013 proxy statements filed by S&P 200 companies, the full boards have almost universally assumed responsibility for the risk oversight of their respective companies.

The Commissioner concluded by expressing his view that "board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues."

You can read the Commissioner's full remarks here.



(c) Matt Cordell 2013