' Emily Huang | MTTLR

Mr. “Steal-Your-[Company’s Consumer Data]”: Cyber-Risks and Corporate Governance

Private entities and their directors cannot afford the cost of inaction in addressing cyber-attacks. As SEC Commissioner Luis A. Aguilar stated during a Public Statement on The Commission’s Role in Addressing the Growing Cyber-Threat, cyber-attacks on enterprises such as financial institutions and government agencies are becoming increasingly frequent and more sophisticated. In fact, according to the SEC’s Division of Intelligence’s list of global threats, this particular threat surpasses even terrorism. The cost of inaction can be significant. For example, there is the looming threat of litigation and potential liability for failing to implement adequate steps to comply with fiduciary duties in preventing cyber-attacks. There is the substantial threat of financial and reputational risks for both corporations and government agencies. There is also the risk of harm to an entity’s ability to grow, innovate, and, in turn, gain or maintain customers. Further, cybersecurity threats victimize the national and economic security of the United States by exploiting the connectivity of critical infrastructure systems. Fortunately, there are major steps that companies can take to mitigate cyber-risk. Back in June 2014, Commissioner Aguilar provided recommendations when he spoke at the New York Stock Exchange’s Conference, “Cyber Risks and the Boardroom.” In addition to spending sufficient time and resources to address cybersecurity issues, boards and their directors should be “asking themselves what they can, and should, be doing to effectively oversee cyber-risk management.” Boards should also focus on key oversight activities, such as assigning specific roles and responsibilities for privacy and security and concerning themselves with receiving frequent reports on data breaches and IT risks. In February 2014, the National Institute of Standards and...