We believe every board should have a cybersecurity expert and a specific board committee with oversight. And we recommend that companies report on their process and criteria for cybersecurity each year, with particular emphasis on their ability to respond to attacks promptly and effectively. Companies may wish to allocate reserves for potential breaches as well.
From a corporate governance and accountability perspective, cybersecurity today is being treated like accounting was before the fallout from the Enron scandal inspired the Sarbanes-Oxley Act’s increased standards for corporate disclosures. With the privacy and personal data of hundreds of millions of people at risk, and especially now with the increasing ubiquity of connected devices in our lives, the security of digital assets is too important for that kind of treatment. We need to bolster a culture of responsibility around cybersecurity, combining stronger and more uniform corporate governance with a clearer government commitment to enact better defensive policies.
A complex hack may not be a C.E.O.’s fault, but it is absolutely his or her responsibility. Investors and consumers need to demand more from the executives to whom they entrust their digital lives.
So what happened? At a time when board composition and disclosure are presented as the board’s best safeguards to a range of corporate crises, what lessons can be gleaned from the Equifax debacle—despite the board’s perceived preparedness in these areas? <P><P>In each annual proxy, boards disclose their governance practices—from director succession planning to risk management—which serves to reassure investors (large and small) that their assets are in safe hands. Yet, the Equifax breach presents us with a scary prospect: How many companies have failed to do what they say?
Source: The Equifax Hack: More Questions Than Answers About the Board
As Equifax acknowledges a massive security breach making the names, addresses, social security numbers and more available for fraud and disruption and it appears executives, including the CFO, sold stock before making this information public, it also comes out that Equifax lobbied to make it more difficult for consumers to get damages for exactly this kind of abuse.
Equifax’s lobbying group argued against the prohibition even as it acknowledged that a 2015 government study found “that credit reporting constituted one of the four largest product areas for class action relief” for consumers. Consumer groups countered the claims of CDIA and other rule opponents by saying the ability to file suit is necessary to protect Americans’ legal rights.
Source: Equifax Lobbied To Kill Rule Protecting Victims Of Data Breaches
For more on this issue:
The Center for Audit Quality celebrated its 10th anniversary with a conference that included assessment of its progress since it was created in response to the Enron-era series of accounting failures and some thoughts about upcoming developments. Unabashedly committed to the notion that accounting is “a force for good,” director Cindy Fornelli emphasized the profession’s commitment to “independence, objectivity, and skepticism.” Many of the participants pointed to more attention to cybersecurity and sustainability (including non-GAAP reporting) and coordination with international standards as increasing challenges, necessary for corporate managers, directors, investors, and other stakeholders. In general, the speakers endorsed the Sarbanes-Oxley legislation, though former SEC Chair Harvey Pitt would have preferred the additional flexibility of making it a part of the 34 Act. Some expressed concern about overloading the board, especially the audit committee, and the consensus was that with issues like cybersecurity, the committee should be responsible for ensuring a system is in place, not for performing the checks itself. Some of the participants expressed concern that the new administration’s more insular, protectionist approach might lead to withdrawal from essential international coordination efforts, leaving a gap in leadership. Pitt said, “If we do not participate, it will diminish our impact…and our ability to compete in a global marketplace.”
CEOs’ compensation – including salary, bonuses and stock options – should be linked to their companies’ cyber security performance, according to a new report from the [UK] Culture, Media and Sport committee.
Source: CEO’s pay should be linked to security performance, says government committee | IT PRO
The Global Network of Director Institutes (GNDI), the international network of director institutes, has issued new perspectives papers on two governance issues that have dominated the board agenda globally this year.
“In the last 12 months, discussions have focused on the changing role of the board to be more resilient against cyber threats and address expectations regarding performance, culture and board diversity through renewal,” said Stan Magidson, Chair of the Global Network of Director Institutes and President and CEO of the Institute of Corporate Directors, Canada. “These are global issues and members of GNDI have issued global recommendations for boards to consider.”
In the first paper, Guiding Principles for Cybersecurity Oversight, GNDI proposes three areas of focus: people, processes and technology. Likening cybersecurity to the “fourth estate”, the global network says that cybersecurity falls outside the traditional borders of oversight, accountability and control, and therefore requires a new approach.
The organisation is calling on boards to consider placing cybersecurity as a specific accountability of one of the officers reporting to the board, to inform themselves of specific operational, reporting and compliance aspects of cybersecurity, and lastly to consider adding a member with some knowledge of information technology (including digitalization and cybersecurity).
In the second perspectives paper, Renewing the Board, GNDI advocates for a performance management approach to board renewal to create long-term value and argues that the board should disclose these policies and processes to its shareholders and other stakeholders to allow for better engagement with these groups. The paper also argues that boards should cast a wide net when adding or replacing a director and should consider the need for diversity of thought, skills and experience on the board when considering appointments.
via Global director network issues policy perspectives on cybersecurity and board renewal.
More than two thirds of company board members are more involved with cybersecurity issues than they were a year ago, according to a new survey by BDO USA, a consulting firm. Nearly 90% of the 150 public-company board members who responded to the survey said they’re briefed on cybersecurity at least once a year, with a third briefed at least quarterly on the issue. Seventy percent said they have increased company investments against cyber-attacks during the past year, the survey found.
Shahryar Shaghaghi, national leader of technology services for BDO, said the board participation and involvement numbers are encouraging, but he now expects more as a result of the investment. “I think we need to move from reactive, which is responding to breaches and notifying the board, to a more-proactive state, where the board can understand what’s going on in the organization,” he said.
via The Morning Risk Report: Boards More Involved on Cyber – Risk & Compliance – WSJ.
There’s no doubt that cyber attacks cause real financial harm to businesses. Money can be stolen, business operations disrupted. Cyber theft can provide international competitors with years worth of valuable intellectual property or trade secrets virtually overnight, jeopardizing current and future market opportunities. Cyber attacks can seriously damage an organization’s reputation with customers and result in legal liability for the company, executives, and board members.
As companies race to protect themselves, how do investors know if the organizations they are investing in are secure?
Join Jacob Olcott, VP at BitSight, and Nell Minow, corporate governance expert and co-founder of Institutional Shareholder Services (ISS), for a discussion of key issues, including:
-How investors assess cybersecurity in the M&A diligence process
-What institutional shareholders want to know about cyber risks to their investments
-How shareholders can meaningfully engage with companies on cybersecurity
via Cybersecurity and Investors.
In recent months, AIG, Blackberry, CMS Energy, General Motors and Wells Fargo have added a board member with computer-security knowledge. Delta Air Lines and Ecolab did the same in recent years.
The reasons are clear. Cyberattacks on large companies skyrocketed 44% last year from 2013. Cybercrime costs businesses more than $400 billion a year, according to Lloyd’s of London.
Data show that corporate boards have a long way to go. Just 11% of public-company boards queried this year reported a high-level understanding of cybersecurity, the National Assn. of Corporate Directors said. A review by the New York Stock Exchange and security firm Veracode found that two-thirds of board members questioned think their companies are ill-prepared for a cyberattack. Yet consulting firm PricewaterhouseCoopers reports that 30% of boards surveyed never talk about cybersecurity at all.
via Cybersecurity Experts Flooding Boardrooms – Network Security on Top Tech News.