Not just a ‘big company problem’ Threats are increasing and more difficult to detect
What boards do…and according to SEC Commissioner Luis Aguilar…SHOULD do
Reference guidance for directors…
Practical tips for Directors from Institute of Internal Auditors, Resarch Foundation
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Board of Directors Exposure
– 4 shareholder derivative lawsuits filed against
directors, naming 13 directors and officers, asserting
breach of fiduciary duty and waste of corporate
– Lawsuit dismissed; Directors showed reasonable
Make data privacy and data security and the
resources devoted to these areas, regular topic of
discussion at board meetings.
* Hogan Lovells, Chronicle of Data Protection, 1/23/15
Sample Concerns Driving Boardroom
• Verizon 2013 Data Breach Report – 162 companies
– Size doesn’t matter: more than 50% had < 1000 workers
– SMB see security as a medium high priority
• Only 75% admitted sufficient knowledge to assess
– 1/3 of the companies security budget <10% total IT budget
• Mandiant Threat Report – 2014
– 2/3 of breached companies notified by external parties
– 229 days (average, improved 13 days) to detect breach
– 44% of phishing emails impersonate internal IT
– Political threats: example, Syrian Electronic Army
– Iran: targeted Saudi Aramco, RASGAS
are in line
“ Given the significant cyber-attacks that are occurring with disturbing frequency,
and the mounting evidence that companies of all shapes and sizes are increasingly
under a constant threat of potentially disastrous cyber-attacks, ensuring the
adequacy of a company’s cyber security measure needs to be a critical part of a
boards of director’s risk oversight responsibilities.”
SEC Commissioner Luis A. Aguilar, June 2014
National Association of Corporate Directors
1. Directors need to understand and approach cybersecurity as an
enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber risks as
they relate to their company’s specific circumstances.
3. Boards should have adequate access to cybersecurity expertise,
and discussions about cyber-risk management should be given
regular and adequate time on board meeting agenda.
4. Directors should set the expectation that management will
establish an enterprise-wide risk management framework with
adequate staffing and budget.
5. Board-management discussion of cyber risk should include
identification of which risks to avoid, accept, mitigate or transfer
through insurance as ell as specific plans associated with each
Six Questions the Board Should Ask*:
1. Does the organization use a security framework? (ex;
2. What are the top five risks the organization has
related to cybersecurity?
3. How are employees made aware of their role related
4. Are external and internal threats considered when
planning cybersecurity program activities?
5. How is security governance managed within an
6. In the event of a serious breach, has management
developed a robust response protocol?
* Institute of Internal Auditors Research Foundation