Several recent data privacy and security-related incidents continue to illustrate the financial, legal and reputational consequences associated with cybersecurity risk. Companies — both private and public — are beginning to shift cybersecurity and privacy risk management from the IT department to the boardroom. The Security and Exchange Commission’s Commissioner Luis Aguilar encouraged this shift in remarks before the New York Stock Exchange in June 2014, when he called on boards of directors to take a more active and informed approach to managing cyber risk. Multiple forms of guidance — ranging from proposed Office of the Comptroller of the Currency regulations in January to National Institute of Standards and Technology’s voluntary Cybersecurity Framework developed pursuant to President Obama’s Executive Order 13636 – are advocating stricter oversight and management of cybersecurity risk.
However, as Commissioner Aguilar acknowledged, there are “various mechanisms that boards can employ to close the gap in addressing cybersecurity concerns” and “there is no ‘one-size-fits-all’ way to properly prepare for the various ways a cyber-attack can unfold.” Therefore, many companies, both public and private, are struggling to determine the nature and extent to which their boards should be involved in managing such risk. How can boards of directors balance their fiduciary duties to provide effective oversight and risk management, without interfering with the management and operation of the company by senior executives and employees?