Another day, another cyber attack. Just in the last few weeks we have seen headlines about a major data breach at Yahoo announced, accusations that the Russian government interfered with the US presidential election and the E-Sports Entertainment Association suffered a breach of over a million records.
Despite the potential harm from such attacks, there is a general consensus that boards of directors are not taking the necessary actions to defend and protect their companies from these attacks. The problem is that many people in leadership positions do not understand the real problems and consequences of a cyber attack and do not have enough understanding of cybersecurity risks and how to mitigate them.
“Our country and its businesses and government agencies of all sizes are under attack from a variety of aggressive adversaries and we are generally unprepared to manage and fend off these threats,” said Gartner analyst Avivah Litan.
“Some organizations do a better job than others, but those efforts are almost always led by CIOs, CISOs or business line managers and not by corporate boards, CEOs and executive management throughout government and the private sector,” Litan added.
The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that found only 19% believe their boards have a high level of understanding of cybersecurity risks. That’s an improvement from 11% in a similar poll conducted a year earlier, but nowhere near the levels needed to protect businesses and their customers.
Fortunately things are beginning to change as legislation and regulations are finally catching up to the realities of the business world. While most of the states in the US have laws requiring data breach notification, federal laws are slow to catch up. A number of US senators have backed breach notification laws, but no bills have passed congressional muster. It will be interesting to see if things change under President Trump given the increasingly negative affects of cyber attacks.
Proposed regulations in New York by the Department of Financial Services (DFS) are an example of states trying to increase protection of sensitive information and hold senior leadership accountable. The proposed 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies requires the board of directors or a Senior Officer to certify that they are in compliance with these regulations. The regulations call for a cybersecurity plan, encryption of non-public data, access controls and audit trails of activities. The goal is to increase the security posture of financial institutions to protect confidential information.
“Having a requirement to disclose is a great motivator to increase security to prevent future attacks,” Litan said. “No one wants their names in the news. That’s what corporate directors are most worried about, in fact.”
Education at the board level is of paramount importance to help directors understand the risk they face from cyber attacks. Just like a board needs to understand the risk from competitors, fire, theft, litigation and currency fluctuation, they must understand how to mitigate the risk of cyber attacks. Regulations like those proposed in New York are the beginning of this process and boards must now understand that they will be personally liable if they do not comply.