Why Cyber-Security is a Corporate Governance Problem

ValueEdge Advisors Vice-Chair Nell Minow has a new column in the Huffington Post about the role of boards in risk management, especially cyber-security, which SEC Chair Mary Jo White calls the “biggest systemic risk” facing the US.

Executives are responsible for proposing and implementing corporate strategy, but it is the board of directors who are responsible for oversight and risk management. The risks of cyber-attacks are not “if” questions. They are “when” questions. And the answer to the “when” question is: now. Cyber-attacks are a real and constant danger.

It is the responsibility of the board of directors to make sure that companies have the best protection possible. It is even more important that they make sure corporate executives are ready to respond immediately when attacks occur. They cannot stop cyber-intrusions. They must stop this failure to respond promptly and effectively. According to BitSight, the leading firm monitoring cyber-attacks and corporate responsiveness, most successful attacks occur when bad guys exploit “known vulnerabilities,” which are vulnerabilities for which a patch exists but it has not been downloaded. When corporate IT staff does not update their systems in a timely fashion, it is disastrous risk management.

A key indicator is the “detection deficit,” The time that elapses between the breach and the time that it is discovered by the organization. BitSight issues ratings based on companies’ performance relative to other organizations in responding quickly and effectively to attacks.

Boards must either establish committees or Risk Committee subcommittees to oversee cyber-security, not just of the corporation itself but of its supply chain and customers. This is an indispensable element of internal controls and risk management. Banks issuing credit cards can have excellent systems in place but if the retailers their customers shop at do not, they will face the Target problem all over again. Here’s a tip: self-reporting is not adequate. Protection status must be independently verified.