Are corporate boards suffering from cyber fatigue?  Hardly.

Recent surveys tell us that cybersecurity is the top risk faced by corporate America.  The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern.  And their general counsel agree.  In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.

Not surprisingly, cyber risk was also on the agenda at the 28th Tulane Corporate Law Institute last week in New Orleans, the annual gathering of mergers and acquisitions professionals.  I was privileged to speak on the “Advising Boards of Directors on Dealing with Risk” panel with my colleagues Victor Lewkow and David Brodsky from Cleary Gottlieb Steen & Hamilton LLP and Creighton Condon from Shearman & Sterling LLP.

A few key takeaways:

  • Board engagement on cyber risk continues to improve each year but 37% of board members still say they don’t receive enough information about cyber risk, and 27% say they are dissatisfied with the quality of the information received;
  • More than 50% of the time, corporate leaders learn about a data breach from outside their own organizations, usually from law enforcement, their financial institution or the news media;
  • A comprehensive cybersecurity plan isn’t a check-the-box, one-time process, but an evolving risk management tool that requires expertise and commitment across an entire organization;
  • Boards and leadership teams should not sit back and wait for additional regulatory guidance regardless of industry or sector but should proactively design and implement a cybersecurity plan that fits their business needs and data sensitivity;
  • Board and organizational cyber preparedness isn’t just good business, it makes financial sense. Statistics show that the costs associated with remediating a data breach incident are substantially lower when the board is fully engaged, an incident response plan is in place and there are strong internal controls and employee education; and
  • Regulators on both a federal and state level are keenly focused on cyber risks and will undoubtedly be attentive to written policies, procedures and internal controls (and on regularly updating, revising and practicing them).