Corporate Board Member recently reported select findings from its annual “Law in the Boardroom Study.” The Report indicates that corporate directors and general counsel expect cyber risk to be among their most pressing concerns this year. According to the Report, 28% of corporate directors and 27% of general counsel anticipate that they will spend time on “cyber risk oversight” in 2013. Interestingly, corporate directors list only “executive compensation” and “M&A preparedness” ahead of cyber risk as areas of corporate board attention.
The entire Report is worth reading, but three particularly noteworthy themes emerge:
- One Size Does Not Fit All. Even as cyber risk becomes a greater concern across the board (no pun intended), the magnitude of cyber risk differs among companies. While the Report cites a 2012 Ponemon Institute study to support its statement that “[t]he average annualized cost of cyber crime [was] . . . $8.9 million in 2012,” in my opinion, that figure overstates the magnitude of cyber risk for some companies and understates the threat for other companies. Not all companies are similarly situated where cyber risk is concerned. As the Report itself notes, companies doing business “in high-tech, pharma, and certain government contractor segments” face elevated cyber risk. By contrast, cyber risk may pose less of a threat to companies for which data security is less crucial. For example, the Coca-Cola Company and the neighborhood lemonade stand may both rely upon secret recipes, but the kids running the lemonade stand aren’t likely to be concerned about cyber risk. As companies consider how best to anticipate, manage, and respond to cyber risk, they should assess the nature and level of cyber risk particular to their business.
- Potentially Overconfident. Corporate directors and general counsel expect to address cyber risk in 2013, but, according to the Report, most appear to be at least moderately satisfied with the steps their companies have already taken to mitigate cyber risk. The Report indicates that 85% of directors are “very confident” (22%) or “somewhat confident” (63%) that their companies could “quickly detect a cyber breach and determine whether confidential data was compromised.” Only 14% of directors surveyed are “not confident” that their companies could do the same. General counsel surveyed were similarly confident. I wonder, however, whether this confidence matches up with reality. Do these companies, for example, have real policies, procedures, and infrastructure in place to provide adequate protection? Given the almost daily news headlines relating to cyber attacks, data breaches and trade secret theft, it may be that some of this confidence is misplaced.
- Help Wanted. Despite their apparent confidence in the cyber risk management measures they have already implemented, the corporate directors and general counsel surveyed agreed that they could be better informed about certain cyber risk issues. According to the Report, “Directors  feel that IT strategy/risk is a key area that they need more information on, while general counsel feel the same about e-discovery and data management.” Identifying information gaps is a good first step. The next step is to fill in those gaps and start to build a system and culture of risk management and data protection.
How do the Report’s findings compare with your company’s attitudes and concerns regarding cyber risk? Are you confident that your company’s existing cyber risk management measures are adequate? Have you considered what measures your company might adopt to better assess and manage cyber risk?
*Matthew L. Stortz is a rising third year law student at Boston University School of Law. Matt’s legal interests include nearly everything at the intersection of law and business.