Topics: Cybersecurity,Investor Relations,Risk Management
Topics: Cybersecurity,Investor Relations,Risk Management
November 20, 2019
November 20, 2019
High-profile breaches make the news far too often, ones that compromise hundreds of millions of people’s data and that cost organizations millions of dollars. Many companies that have been hit are still working to recover from reputational and financial damages, months and even years later.
Looking beyond the big headlines, though, your board can find valuable information on cybersecurity in those companies’ proxy statements.
In 2018, the Securities and Exchange Commission (SEC) issued updated interpretive guidance to help public companies draft their cybersecurity disclosures. The guidance encourages companies to be more transparent on their cybersecurity risks and incident disclosures, including disclosing the board’s role in overseeing cybersecurity risk. But if you look at most companies’ proxy statements, their disclosures don’t really say much. In fact, they often include only a sentence or two with boilerplate language that simply states that their board or one of its committees oversees risks related to cybersecurity.
On the other hand, when you look at the proxies of some companies that have successfully managed to make it through a breach, there’s usually a noticeable difference. They are more transparent about their board’s cybersecurity oversight. Their disclosures are also more robust, spelling out in more detail what their boards are doing to get a better handle on cybersecurity.
Here are some of the things such companies are doing—and that your board can do as well to strengthen your cybersecurity policies and procedures:
More broadly, some companies are disclosing how they are staying educated related to cyber risk, either by noting annual board training or by discussing the addition of directors with specific cybersecurity expertise to the board.
Companies that have gone through a cyber crisis have experienced the process from start to finish, and they have recognized the need to be more transparent in their disclosures about the board’s role. If you haven’t been through a crisis, it can be helpful to look at such companies’ disclosures. There’s a lot you can learn. At a minimum, you can think about whether your board should be doing the same things, and if you are doing these things already, you might want to enhance your disclosures to show that you’re taking the right steps should your company be hit with a breach.
While there may not be many of the more robust disclosures out there just yet, I believe we’ll start to see more in the future—not only because the likelihood of companies being attacked is constantly on the rise but also because boards will continue to be in the spotlight as cybersecurity oversight evolves.
Still stunned that this ancient topic is getting so much attention today. I endured my first attack in 1999.
Hard to fathom that this has just bubbled up to boards in the past five years.
Can this be, is this why its a problem, somehow boards were in the dark for almost two decades?