We believe every board should have a cybersecurity expert and a specific board committee with oversight. And we recommend that companies report on their process and criteria for cybersecurity each year, with particular emphasis on their ability to respond to attacks promptly and effectively. Companies may wish to allocate reserves for potential breaches as well.
From a corporate governance and accountability perspective, cybersecurity today is being treated like accounting was before the fallout from the Enron scandal inspired the Sarbanes-Oxley Act’s increased standards for corporate disclosures. With the privacy and personal data of hundreds of millions of people at risk, and especially now with the increasing ubiquity of connected devices in our lives, the security of digital assets is too important for that kind of treatment. We need to bolster a culture of responsibility around cybersecurity, combining stronger and more uniform corporate governance with a clearer government commitment to enact better defensive policies.
A complex hack may not be a C.E.O.’s fault, but it is absolutely his or her responsibility. Investors and consumers need to demand more from the executives to whom they entrust their digital lives.