In a June 10, 2014 speech delivered at the New York Stock Exchange, SEC Commissioner Luis Aguilar addressed the important role of boards in overseeing cyber risk management. In his speech, Mr. Aguilar focused on what boards can do and should be doing to ensure that their organizations are appropriately considering and addressing cyber risks. Mr. Aguilar emphasized the duties of boards, highlighting business interruption and the potential for reputational harm as posing serious threats to a company’s bottom line. According to Mr. Aguilar, boards have assumed greater responsibility for overseeing risk management efforts, and these efforts should include cybersecurity. Mr. Aguilar stated that, although the primary responsibility for risk management has historically belonged to management, a board is responsible for ensuring that a company has established appropriate risk management programs and for overseeing how management implements these programs.
Mr. Aguilar also addressed the risk of shareholder lawsuits if boards choose to minimize or ignore their cybersecurity oversight responsibilities. Mr. Aguilar urged boards to take a proactive approach to mitigating liability exposure. In discussing what boards can do and should be doing on cybersecurity issues, Mr. Aguilar cited a February 2014 report from the National Institute of Standards and Technology, entitled “Framework for Improving Critical Infrastructure Cybersecurity” (NITS Framework) stating that it is a place for a board to begin in assessing a company’s cybersecurity readiness. He stated that the NITS Framework is intended to provide companies with a set of industry standards and best practices for managing cybersecurity.
The NITS Framework is available at www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.