SEC Commissioner Aguilar Discusses Boards of Directors' Role in Cyber-Risk Management (with Isajiw Comment)

SEC Commissioner Luis A. Aguilar delivered remarks at the "Cyber Risks and the Boardroom" Conference in which he focused on steps that companies' boards of directors can take to manage cybersecurity issues effectively.

Commissioner Aguilar stated that boards are responsible for making certain that corporations have established and implemented appropriate risk-management programs effectively. To ensure the adequacy of a company's cybersecurity measures, Commissioner Aguilar recommended that boards begin by considering the Framework for Improving Critical Infrastructure Cybersecurity, which was released by the National Institute of Standards and Technology ("NIST") in February 2014. The NIST Framework is intended to provide companies with a set of industry standards and best practices for managing their cybersecurity risks. Some commentators have already suggested that it will likely become a baseline for best practices by companies, Commissioner Aguilar said.

Commissioner Aguilar noted that the NIST Framework will be ineffective if no one at a company is able to translate its concepts into action plans. He stated that some boards have recommended mandatory cyber-risk education for directors, while others have suggested that boards be adequately represented by members with a good understanding of information technology issues. Regardless of the method, the boards need to close the knowledge gap in addressing cybersecurity concerns, Commissioner Aguilar emphasized.

Commissioner Aguilar went on to recommend that boards have a clear understanding of who at a company has the primary responsibility for cybersecurity risk oversight, and to devote full-time personnel to the task. According to Commissioner Aguilar, companies need to be prepared to respond within hours, if not minutes, to a cyber event to fully analyze it and prevent widespread damage. To do this, Commissioner Aguilar suggested, boards must put time and resources into making sure that management has developed a response plan which includes whether and how the cyber attack will be disclosed, internally and externally, to customers and investors.

Isajiw Comment: Given frequent news reports of large data breaches, corporate directors ignore cybersecurity and data management practices at their own peril. No business with a digital presence is immune to cybersecurity risks. Companies large and small need to be proactive and aggressive in confronting these threats. Their response should include not only physical and cryptographic security measures, but also an accurate and complete assessment of data systems to identify and correct potential security weaknesses. It should also consider the information that companies collect, how it is used and whether unnecessary risk is created by over-collecting data or storing stale data beyond its useful life. Companies also need to adopt a considered and practiced action plan to handle the aftermath of a data breach. Following such a data breach, litigation risks, regulatory mandates and reputational concerns may pull in different directions, with internal stakeholders competing for control. A well-orchestrated response plan that accounts for these competing concerns, as well as the early involvement of technical experts and legal counsel, may provide the best opportunity to minimize the legal and business costs.

See: Commissioner Aguilar's Speech. Related news: NIST Issues "Framework for Improving Critical Infrastructure Cybersecurity"; SIFMA Event to Follow (with Wainstein and Clearfield Comment) (February 12, 2014).