In a June 10, 2014 speech delivered at the New York Stock Exchange, SEC Commissioner Luis Aguilar addressed  the important role of boards in overseeing cyber risk management. In his speech, Mr. Aguilar focused on what boards  can do and should be doing to ensure that their organizations are appropriately considering and addressing cyber  risks. Mr. Aguilar emphasized the duties of boards, highlighting business interruption and the potential for reputational  harm as posing serious threats to a company’s bottom line. According to Mr. Aguilar, boards have assumed greater  responsibility for overseeing risk management efforts, and these efforts should include cybersecurity. Mr. Aguilar  stated that, although the primary responsibility for risk management has historically belonged to management, a  board is responsible for ensuring that a company has established appropriate risk management programs and for  overseeing how management implements these programs. 

Mr. Aguilar also addressed the risk of shareholder lawsuits if boards choose to minimize or ignore their cybersecurity oversight responsibilities. Mr. Aguilar urged boards to take a proactive approach to mitigating liability exposure. In discussing what boards can do and should be doing on cybersecurity issues, Mr. Aguilar cited a February 2014 report from the National Institute of Standards and Technology, entitled “Framework for Improving Critical Infrastructure Cybersecurity” (NITS Framework) stating that it is a place for a board to begin in assessing a company’s cybersecurity readiness. He stated that the NITS Framework is intended to provide companies with a set of industry standards and best practices for managing cybersecurity.

The NITS Framework is available at www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.