Earlier this week SEC Commissioner Luis A. Aguilar gave a speech at the New York Stock Exchange on ”Boards of Directors, Corporate Governance and Cyber-Risks,” in which he strongly urged directors to focus on the need for increased oversight of cyber-risks:

Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of directors’ risk oversight responsibilities.

Commissioner Aguilar recommended that directors take the following four steps:

  1. Use the Framework for Improving Critical Infrastructure Cybersecurity released by the National Institute of Standards and Technology as a guide;
  2. Consider cyber-risk education for directors, recruiting a director who knows information technology, or creating an enterprise risk committee to focus attention on cyber-risks;
  3. Make sure the company has appropriate personnel to manage cyber-risks; and
  4. Prepare a plan for responding to cybersecurity breaches.