The days when boards of directors leave cybersecurity solely in the hands of IT teams may become history if a new bill is passed into law. On December 17, 2015, Senators Jack Reed (D-RI) and Susan Collins (R-Maine) introduced the Cybersecurity Disclosure Act of 2015 (S2410). The bill proposes to require public companies to disclose the cybersecurity expertise of their board members.
If the bill were passed into law, it would trigger two key actions, according to the law firm, Cooley:
- Require the Securities and Exchange Commission to issue new rules mandating that public companies describe any cybersecurity experience or expertise held by their board members in the companies’ annual reports or proxy statements.
- If an organization’s board members do not have cybersecurity expertise, the bill would require them to describe what consideration was given to cybersecurity when selecting potential board members.
If the bill is enacted into law, it could potentially encourage shareholders to pressure organizations to look for board members with cybersecurity experience. If it’s not passed into legislation, it could still raise awareness about the need for greater knowledge on boards about today’s expanding and intensifying cybersecurity threats.
This could be a great outcome, especially when considering the findings of a Ponemon Institute study. It found that 26 percent of board members describe themselves as having “minimal or no knowledge” about cybersecurity. And just one-third considered themselves “knowledgeable” or “very knowledgeable.”
A Growing Trend to Take Cybersecurity More Seriously
Seeking greater cybersecurity knowledge on boards of directors is not an entirely new idea. In 2014, a prominent proxy adviser, Institution Shareholder Services, urged the Target Corp. to fire most of its board members for failing to manage risks and protect the company from a massive data breach. This action was viewed as “a warning to corporate boardrooms to take cybersecurity more seriously,” according to the Wall Street Journal.
In mid-2014, U.S. Securities and Exchange Commission’s Luis Aguilar urged corporate America, including board and C-suite members, to do more to fight cyber attackers. “Directors should be asking themselves what they can, and should, be doing to effectively oversee cyber-risk management,” Aguilar stated. He warned that the SEC could hold corporate boards and senior management responsible for future security breaches.
In the Sixth Board of Directors Survey conducted by EisnerAmper, 72 percent of respondents said they recognize cybersecurity as a key risk. While 50 percent ranked it as one of the top concerns, about 22 percent ranked cybersecurity as the top concern for their boards.
The C-suite is stepping up
There are several reasons why C-suite and board members have not taken a bigger role in cybersecurity until now, according to EY’s Cyber Program Management report. It stated that they operate with a siloed mentality, face limitations in assessing organizations’ cyber risks, and have a lack of knowledge about how to conduct effective breach responses.
“I suspect [many boards] thought it was a tech problem that would quickly go away, instead of realizing it was a business risk that would go on for a very long time,” stated Martin Fisher, IT security manager at Northside Hospital.
But times have changed. According to the Financial Executives Research Foundation, “Board involvement is crucial. Senior management and the board need to have open dialogue about expectations regarding risk tolerances, budget considerations, IR planning and breach response.”
Overall, it’s great news for the business world that boards of directors and the C-suite are getting involved in cybersecurity. The most effective security programs need buy-in from across the organization, including all the way to the top. When the boards and executives better understand the grave consequences of not paying close attention to information risk management and not investing in a strong cyber defense, security programs are more likely to become much more secure.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016