The Board as Cyber Risk Managers
Recent attacks on high-profile retailers and banks, as well as revelations of state-sponsored surveillance and espionage, emphasize the vulnerability of business and government agencies of all sizes. Calls for action, coming from multiple sources, suggest an insufficient awareness of these crippling threats at an organization's highest level.
A sizable percentage of corporate boards have yet to fully engage in their companies' cybersecurity operations, while others have been addressing cybersecurity for a number of years.
Our panel will address the following questions, designed to focus directors on their duties and responsibilities relating to cybersecurity:
Does the company use a security framework?
What are the top five risks a company has relating to cybersecurity?
How are employees made aware of their role pertaining to cybersecurity?
Are external and internal threats considered when planning cybersecurity program activities?
How is security governance managed within the company?
In the event of a serious breach, has management developed a robust response protocol?
Judith Germano - Cyber Security Advisor, Former Chief of Economics Crimes in the U.S. Attorney's Office for NJ
Bob West - Managing Director for CareWorks Tech, Former Bank Chief Information Security Officer
Steven Katz - Board Director and President of Steven Katz & Associates, Inc.
NACD NJ PROGRAM
THE BOARD AS CYBER RISK MANAGERS
On February 18, 2016, the membership attended a presentation by a panel of experts on what boards should be doing to defend against cyber attacks on their companies, a topic much in the news lately. Moderator Steven Katz, a director with long experience in the life sciences industry, was joined by Bob West, former Chief Information Security Officer for several banks, and Judith Germano, recognized by Directors and Board magazine as a Cyber Security Expert and former Chief of Economic Crimes at the U.S. Attorney’s office for the District of New Jersey.
Companies can be divided into two types: Those that know they have been hacked and those that have been hacked but don’t know it yet. Besides direct hacks by outsiders, sources of cyber risk for companies include people inside the company itself who are sloppy in safeguarding information and do not use good computer hygiene, third party vendors who have access to information that should be secured and regulators like the SEC and FTC which increasingly are facing public pressure to crack down in the area. Companies need to take a “commercially reasonable” approach to protect themselves and their customers in this area. Accepted standards of due care are evolving, such as ISO 27000 (a series of internationally recognized information security techniques), the Cybersecurity Framework issued in 2014 by the National Institute of Standards and Technology and judicial pronouncements, such as the Court of Appeals decision last summer in FTC v. Wyndham Worldwide Corp. from the Third Circuit which governs in New Jersey.
Consequently, Boards need to take an active role in cybersecurity. Besides the risk of substantial monetary liability for damages and fines to the company, cases are developing where directors have been sued personally, or at least asked to resign, for not taking such a role. This applies to all companies regardless of size. Based on recent survey results, most boards appear to recognize that cyber risks are at a high level, but only a small minority of boards appear to be actively involved in cybersecurity preparedness instead of deferring to their IT departments.
Best practices for directors to take an appropriately active role include the following:
Becoming personally knowledgeable about cybersecurity issues and the evolving standards of due care, asking management the right questions.
Developing a consistent cybersecurity defense plan that devotes sufficient company staff and budgetary resources to the effort.
Approaching cybersecurity as an enterprise risk management issue, not just an IT issue, that brings in the input of the general counsel and public relations staff and outside consultants where necessary.
Making sure the Chief Information Officer adequately translates technical concepts to the Board, minimizing problems caused by faulty communication.
Developing a quick action response plan in advance to execute when problems arise.
Some companies have centered cybersecurity risk management in the Audit Committee, while others use a special Board committee approach. Whichever path is taken, responsibility remains Board-wide and discussions about the topic should be given frequent and adequate time on the Board meeting agenda.
Location and Time
APA Hotel Woodbridge (formerly Hotel Woodbridge at Metropark)
120 Wood Avenue, South
Iselin, NJ 08830
Breakfast: 7:30 a.m. - 9:30 a.m.