Private entities and their directors cannot afford the cost of inaction in addressing cyber-attacks. As SEC Commissioner Luis A. Aguilar stated during a Public Statement on The Commission’s Role in Addressing the Growing Cyber-Threat, cyber-attacks on enterprises such as financial institutions and government agencies are becoming increasingly frequent and more sophisticated. In fact, according to the SEC’s Division of Intelligence’s list of global threats, this particular threat surpasses even terrorism.
The cost of inaction can be significant. For example, there is the looming threat of litigation and potential liability for failing to implement adequate steps to comply with fiduciary duties in preventing cyber-attacks. There is the substantial threat of financial and reputational risks for both corporations and government agencies. There is also the risk of harm to an entity’s ability to grow, innovate, and, in turn, gain or maintain customers. Further, cybersecurity threats victimize the national and economic security of the United States by exploiting the connectivity of critical infrastructure systems.
Fortunately, there are major steps that companies can take to mitigate cyber-risk. Back in June 2014, Commissioner Aguilar provided recommendations when he spoke at the New York Stock Exchange’s Conference, “Cyber Risks and the Boardroom.” In addition to spending sufficient time and resources to address cybersecurity issues, boards and their directors should be “asking themselves what they can, and should, be doing to effectively oversee cyber-risk management.” Boards should also focus on key oversight activities, such as assigning specific roles and responsibilities for privacy and security and concerning themselves with receiving frequent reports on data breaches and IT risks.
In February 2014, the National Institute of Standards and Technology released a voluntary Framework for Improving Critical Infrastructure Cybersecurity (“Framework”) in response to President Obama’s 2013 Executive Order titled “Improving Critical Infrastructure Cybersecurity.” The Framework provides the following five core applications to managing and overseeing cyber-risks: (1) Identify; (2) Protect; (3) Detect; (4) Respond; and (5) Recover. Accordingly:
This core fundamentally means the following: companies should (i) identify known cybersecurity risks to their infrastructure; (ii) develop safeguards to protect the delivery and maintenance of infrastructure services; (iii) implement methods to detect the occurrence of a cybersecurity event; (iv) develop methods to respond to a detected cybersecurity event; and (v) develop plans to recover and restore the companies’ capabilities that were impaired as a result of a cybersecurity event.
While the Framework shows that regulators and the executive are concerned with the cyber-risk exposure of domestic companies, the burden of cyber-risk oversight and management clearly lies internally for any company. The issue that remains is whether or not the burden of oversight should be on the full board or, for instance, on a novel committee dedicated to risk management.
Considering the frequency of headlines warning of recent data breaches in American companies, it is critical that company boards become familiar with cyber-risks. They need to be proactive in their efforts in order to prepare the company for the “inevitable cyber-attack and the resulting fallout from such an event.” And while there is no one-size-fits-all method to properly prepare and respond to a cyber-attack, companies should always be ready to respond at a moment’s notice to detect, analyze, and prevent further damage resulting from such attacks.*
*Emily Huang is an associate editor on the Michigan Technology Law Review.