June 8, 2018
June 8, 2018
From the recent botnet attack on home and small-office routers to renewed attention to cybersecurity at the U.S. Securities and Exchange Commission (SEC), directors of companies are tasked with understanding and overseeing a mounting range of information about cyber risks. Recognizing that directors need oversight-specific resources to guide their understanding of this critical risk, the National Association of Corporate Directors (NACD), Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University (CMU) partnered to develop the Cyber-Risk Oversight Program.
The program is tailored specifically to the needs of the director and is updated periodically with webinars to provide context on the most recent developments in cybersecurity. Students who complete the course and pass a series of quizzes are awarded the CERT Certificate in Cybersecurity Oversight. They also join a group of their peers who are publicly acknowledged for having completed the program.
“Cyber-Risk Oversight: Boardroom Update” is the first installment in our Cyber-Risk Oversight webinar series. Completion of the program is not a requirement to view this webinar. Some chief insights from the webinar follow.
What’s New in the Threat Environment
According to the 2017 Cybercrime Report, published by Cybersecurity Ventures and the Herjavec Group, cybercrime will cost the global business market $6 trillion annually by 2021. Summer C. Fowler, a member of the CERT Institute faculty at CMU and an instructor in the Cyber-Risk Oversight Program, says that this considerable cost suggests that directors should pay closer attention to cyber-risk oversight, as cyber risks take a material toll on companies. Below is a summary of some of the more pressing threats discussed in the webinar.
Cybersecurity and the SEC
In recent years the corporate approach to cybersecurity has shifted from a reactive to a proactive mindset. These shifts have also been significant from a legal perspective, as ensuring cybersecurity and data protection becomes the responsibility of many people, rather than one single person. Cybersecurity also has become a priority for the SEC. In 2011, the SEC’s Division of Corporate Finance issued guidance on how companies should approach disclosure of a breach to investors. While the chief regulator of public companies has not since made any specific rules on reporting of cybersecurity incidences, it restated its guidance on what it expects companies to do to be transparent to shareholders about breaches. In February, the SEC released guidance for companies to consider when evaluating cybersecurity risks for disclosure. The SEC suggests that the board needs to think about more than the concrete costs of recovering after a cyber breach.
The factors that a board should consider in cybersecurity disclosure are:
Are you interested in earning a respected credential in cyber-risk oversight at your own pace? NACD members and those who are not yet members are encouraged to watch the webinar embedded above to preview the course’s offerings and to register for the course.