The U.S. Securities and Exchange Commission (“SEC”) expanded its recent focus on cybersecurity by addressing the responsibilities of corporate boards. In statements made during a June 10 talk at the New York Stock Exchange, SEC Commissioner Luis Aguilar highlighted the significant exposure that cyber risks present to companies and charged corporate boards with ultimate responsibility for addressing cybersecurity risk.
Aguilar’s comments focused on “what boards of directors can, and should, do to ensure that their organizations appropriately consider and address cyber-risks.” As he noted, “effective board oversight of management’s efforts to address [cyber] risks is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”
Aguilar pointed out that boards have been increasingly focused on risk management since 2009, when the SEC began requiring disclosure of the board’s role in risk oversight. Noting that such disclosures commonly indicate board oversight of several categories of risks, including credit risk and operational risk, he indicated that “ there can be little doubt that cyber-risk also must be considered as part of [the] board’s overall risk oversight.”
Addressing what boards of directors can and should be doing, Aguilar stated quite clearly that “ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” To that end, he recommended that boards (1) work with management to ensure that corporate policies match-up to the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework guidelines, (2) enhance their understanding of and expertise in cybersecurity issues, (3) call for full-time personnel devoted to privacy and security, and (4) ensure management has a “well-constructed and deliberate response plan that is consistent with best practices for a company in the same industry” as preparation “for the inevitable cyber-attack.”
Shareholder derivative suits have been initiated against the boards of Target and Wyndham following data breaches at those companies, both of which Aguilar noted in his presentation.
Aguilar’s remarks follow recent SEC developments indicating an increased focus on its registrants’ management of cyber risk. Shortly after the SEC’s Cybersecurity Roundtable in late March (reported here), the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced that it will be conducting examinations of more than 50 registered broker-dealers and investment advisors. In a Cybersecurity Initiative Risk Alert issued by OCIE in connection with the announcement, OCIE stated that its investigations will be designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats. In 2013, the SEC proposed a new Regulation SCI, which would require certain key market participants to have comprehensive policies and procedures in place surrounding their technological systems. As reported here, in October 2011, the SEC issued guidance identifying cyber risks and incidents as potential material information to be disclosed to investors under existing securities law disclosure requirements and accounting standards.