We believe every board should have a cybersecurity expert and a specific board committee with oversight. And we recommend that companies report on their process and criteria for cybersecurity each year, with particular emphasis on their ability to respond to attacks promptly and effectively. Companies may wish to allocate reserves for potential breaches as well.
From a corporate governance and accountability perspective, cybersecurity today is being treated like accounting was before the fallout from the Enron scandal inspired the Sarbanes-Oxley Act’s increased standards for corporate disclosures. With the privacy and personal data of hundreds of millions of people at risk, and especially now with the increasing ubiquity of connected devices in our lives, the security of digital assets is too important for that kind of treatment. We need to bolster a culture of responsibility around cybersecurity, combining stronger and more uniform corporate governance with a clearer government commitment to enact better defensive policies.
A complex hack may not be a C.E.O.’s fault, but it is absolutely his or her responsibility. Investors and consumers need to demand more from the executives to whom they entrust their digital lives.
ValueEdge Advisors 
Cyber security is such a big part of the overall risk management framework – and yet it is not really treated as an intrinsic, essential part of this framework in most boards and audit committees. One of the reasons, I feel, may be the human nature to discuss and solve problems about areas one is familiar with. With the average age of audit committee members being around 60 or 65 – they don’t ‘instinctively’ think technology – they need to train and ‘make’ themselves think tech. It’s not like they don’t realise the importance of cybersecurity, it’s just that their reaction and preemption time is much longer than that of someone who has worked, played, entertained, socialized predominantly using tech! For cybersecurity to be given effective oversight at boards- bringing diversity within audit or risk committees is imperative.
LikeLiked by 1 person