When Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in managing cyber risks.
On Sept. 22, 2016, Mr. Aguilar presented his current views in a talk titled “The Role of the Boards of Directors and CISOs in Overseeing Cyber-Risks” at the Security Alliance Advisors’ Annual Leadership Summit. A copy of Mr. Aguilar’s presentation is available here. His remarks provide useful guidance to board members and company managers about how to better manage cyber risks.
Mr. Aguilar points out that boards have long managed many types of risks, including credit risk, liquidity risk and operational risk. Cyber risk must become one of the risks that boards manage successfully.
Mr. Aguilar discusses several steps boards can take to close the “gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken.” Those steps include:
- Mandating cyber risk education for directors, including familiarity with the NIST Cybersecurity Framework.
- Developing processes to facilitate communication among chief information security officers (CISOs), senior executives and the board.
- Understanding the company’s vulnerabilities, strategy, technological and human resources, and existing plans for responding to a cyber event.
- Asking key questions of CISOs and other company managers, such as:
- What are key cyber threats facing the firm?
- What is being done to mitigate those threats?
- Are there areas that need additional attention, and if so, what are they and what are the plans to address them?
- Are there sufficient budgeted funds and other resources available?
- Have there been any data breaches? How many? What was learned? How will they be prevented in the future?
Mr. Aguilar also advises CISOs to consider how they can best assist board members. For example:
- What level of detail from CISOs will benefit the board or a particular board committee?
- How much information should a CISO provide in narrative form, and how many charts and graphs are useful? Too little information may keep the directors uninformed, while too much could drown them in a sea of minutia that ends up being meaningless.
Mr. Aguilar notes that because “companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of directors’ risk oversight responsibilities.” Mr. Aguilar’s recommendations should help board members and company managers better manage cyber risks.