Cybersecurity in the Boardroom

Data breaches and cyber attacks have proliferated over the past few years, and incidents occurring at large, reputable organizations are further stressing the harsh reality that no company is safe from this modern threat.

At the realm of the fight against corporate hacks and the mishandling of confidential data are boards of directors and their management teams whose challenge is further exacerbated by tougher disclosure requirements and the speed at which the threats are evolving. Because what constituted a valid preventive strategy five years ago is unlikely still appropriate today. What’s more, the issue of cybersecurity now extends well beyond criminal organizations conducting targeted attacks on corporations to include personal data gathered from car navigation systems and home security monitoring to personal health tracking devices.

Against this backdrop, Corporate Board Member took to the field in June 2018 to survey directors of publicly traded corporations on how they view this expanding threat and how they can help their companies guard against it. Among several key data points, we’ve found that directors are worried. Hackers, negligent or disgruntled employees, nation-states and terrorist groups; the cyber threats come continually and from all quarters. And the consequences for getting it wrong are dire.

 

Frankly, we are only scratching the surface of this 21st Century issue.”

— William Lerner, Attorney, Former Branch Chief of the SEC’s Enforcement Division and Career Board Member.”

As cybersecurity initiatives to address vulnerabilities grow more sophisticated, so do the attacks. In fact, directors indicated no longer expecting to be able to secure their companies and information from thieves and malefactors. Only 23 percent reported feeling very confident that their companies hadn’t experienced a breach of which they, the board or the executive team, were unaware.

Nevertheless, four directors out of 10 support regulators holding board members liable for breaches when companies haven’t made reasonable efforts to secure customer data. While this may be surprising, that willingness may reflect directors’ confidence that “reasonable efforts” are being made and that regulators will see them as such. In fact, fully three-quarters of our respondents said they were ready to provide evidence of compliance to regulators should such a request be made.

There are only two kinds of companies: those that have been breached and those who don’t know they’ve been breached.”

 — Jan Babiak, Chair of the Audit Committee for Walgreens Boots Alliance and Bank of Montreal; Former Managing Partner in EY’s Technology Security & Risk Services Unit.

Overall, hundreds of public company directors shared their views on the state of cyber oversight with us, from their biggest fear and identifying the rightful owner of the cyber risk within the organization to the day-to-day that can, in the end, save a corporation’s reputation. Our findings and the results of the survey are presented in a report made accessible to our readers. Download your copy here.