SEC Commissioner Luis Aguilar
The job for corporate board directors has significantly expanded since the financial crisis six years ago—and it’s about to get bigger. Following recent large-scale data breaches, a Securities and Exchange Commission (SEC) official has called for corporate boards to oversee cybersecurity risk.
Speaking at an event at the New York Stock Exchange on June 10, SEC Commissioner Luis Aguilar said board oversight is needed to address cybersecurity, which is now a critical component of risk management.
“Effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets,” Aguilar, a Democrat on the five-member SEC, said in a statement.
Citing a recent survey of 2013 proxy filings by companies comprising the S&P 200, Aguilar said, “The full boards of these companies are increasingly, and nearly universally, taking responsibility for the risk oversight of the company.”
While there is no one-size-fits-all answer, Aguilar said that considering recent large-scale data breaches, board members need to make cybersecurity part of their risk management responsibilities given that a cyberattack can be costly for a company both financially and reputational.
“Given the significant cyberattacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyberattacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities,” he said.
Corporate cybersecurity efforts have come under increased scrutiny in the past few weeks. In May, proxy advisory firm Institutional Shareholder Services (ISS) suggested that seven of 10 directors at Target be removed from office because the board of directors did not do enough to prevent a massive data breach that occurred in December 2013. The breach led to the theft of personal information, including the names, addresses, phone numbers, and e-mail addresses of up to 70 million customers.
ISS wants the Target directors removed who were assigned to manage risk, and the firm wants the company shareholders to remove them. An annual meeting was scheduled for June 11.