No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Cybersecurity Responsibility Expands to Corporate Boards

Best Practices for Boards in Mitigating Cyber Risk

by Jayne Friedland Holland
September 30, 2019
in Featured, Governance
large boardroom with city view at night

The SEC has squarely placed the onus on corporate board members to take on greater cybersecurity oversight of the companies they serve. NIC Inc.’s Jayne Friedland Holland discusses board members’ roles now.

Following the heels of record-breaking cyber breaches in 2017, sensitive information found its way into cybercriminals’ hands in dozens of major attacks in 2018. Identity theft protection company IdentityForce has already reported on close to 100 breaches in 2019 affecting health care, online betting, government, retail organizations and more. The cybersecurity community generally agrees that worldwide cybercrime costs will double from $3 trillion annually in 2015 to $6 trillion by 2021.

The 2017 attack on Equifax, that year’s largest and most well-publicized breach, exposed 145.5 million Americans’ social security, credit card and driver’s license numbers. The event was surprising not only in its breadth, but also because Equifax executives knowingly continued trading stock for months before the company reported the breach.

The uptick in devastating cybersecurity incidents and the Securities and Exchange Commission’s concerns over reporting delays prompted the agency to issue interpretive guidance for public company disclosures of cybersecurity risks and incidents in February 2018. The guidance reinforces and expands on guidance published in 2011. It outlines how companies can evaluate which cybersecurity matters must be disclosed, gives direction on disclosure timing and sets forth steps a company can take to adequately understand its cybersecurity risk profile and disclosure obligations. It also addresses the importance of strong cybersecurity policies and procedures and insider trading prohibitions, additions that were not addressed in the prior guidance.

The guidance established new expectations for board members to take on greater oversight of a company’s cybersecurity efforts. This seems to indicate the SEC now places this duty on the same level as it does board requirements for governance of other enterprise risks.

Cybersecurity has become business-critical. To remain in step with the SEC’s guidance, corporate boards must move away from merely maintaining a general concern for cybersecurity. Instead, they must understand it as a core business issue for which their role now includes an obligation to quantify risk and identify actions to mitigate it.

Cybersecurity Oversight: Best Practices for Public Company Boards

The SEC’s 2018 guidance, while establishing greater cybersecurity requirements for corporate boards, does not specify an approach for corporate directors to follow. Simply put, the guidance issued represents general recommendations for boards to follow. To properly evaluate risk, work to mitigate breaches and be prepared to appropriately respond to a security incident, public company executives and corporate boards should consider a similar set of best practices:

1. Recognize the Critical Nature of Cybersecurity

Board members and C-level executives have responsibility for ensuring that cybersecurity is a key component of everything an organization does. The board can and should take the lead in focusing attention on “the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact,” as the SEC guidance states. Board members should be involved in evaluating security-related reporting structures, overall program adequacy and policies and procedures. The SEC also requires written disclosure of how the board administers its risk oversight function.

A public company should give its Chief Security Officer or someone in a similar position a seat at the executive table. Taking this step involves the CSO in every strategic discussion and decision the company makes, communicates the importance of security to the entire organization and helps ensure the security team plays a role in evaluating all the company’s risks and can provide input on secure product practices and other strategic endeavors.

In addition, separating the CSO and Chief Information or Chief Technology Officer reporting structure is important. With different chains of command, those responsible for developing services or maintaining systems have a checks-and-balances system in place.

2. Add Cybersecurity Expertise

Charged with oversight of complex and technical cybersecurity issues, directors should be informed enough to evaluate the company’s cyber risks as effectively as they would assess financial performance and corporate strategy. Board members, therefore, should consider whether one or more directors has sufficient expertise in these areas.

The bipartisan Cybersecurity Disclosure Act of 2019 (S.592), reintroduced last year, requires publicly traded companies to disclose board members’ data security or cybersecurity expertise. If no one on the board has those capabilities, the board must explain what steps it is taking to identify future board members who could contribute that knowledge. The bill has not yet passed, but given the SEC’s increased scrutiny of boards’ cyber-risk responsibilities, directors will likely be mandated at some point to populate their boards with individuals who have cybersecurity expertise. Public boards would be wise to consider that process now.

3. Establish a Formal Breach Response Protocol

Every company is vulnerable to a security breach, no matter what steps have been taken to prevent it. Even so, too few companies have formal and documented processes in place for addressing such an incident.

The company’s breach response process should be captured in a written plan that includes input from multiple departments. It should identify who will serve on the incident response team; each team member’s roles and responsibilities; how the company will report breaches to investors, the public and other stakeholders; and the disclosure timing.

A key component of the overall plan is a list of detailed action steps incident response team members should take. The action plan also should identify others in the company who need to be advised of or involved in the various steps and spells out the documentation or additional actions necessary throughout the investigation process.

For two reasons, the company should notify board members immediately if a breach occurs: This underscores the board’s commitment to engagement in and oversight of cybersecurity and helps ensure the company’s insider-trading policies will be followed.

The process also should identify how the company will access digital forensic expertise, either internally or through a third-party source, in the event of a breach. This resource will allow the company to quickly determine how the breach occurred and what information has been compromised. If payment card data has been exposed during a breach, the company is required to engage a third-party forensic company certified by the PCI Security Standards Council.

Board members should review the plan, and every individual who has a role in carrying out the plan should receive ongoing and continuous training that prepares him or her to respond confidently and effectively to a cybersecurity incident. The company should test and review the plan annually and modify when appropriate.

Further, almost all U.S. states have their own laws about what qualifies as a security breach and timing for disclosing such breaches. Companies that operate in multiple states must adhere to each state’s reporting requirements and build a process for meeting these requirements into their incident response plan.

4. Expect Regular Reporting and Testing

Corporate boards should receive regular reports from executives about the company’s cybersecurity risks, management review processes, overall health and readiness to respond to an incident. A best practice is quarterly reports from leadership and more frequent reporting if needed.

At least annually, company leadership should carry out incident response plan tabletop exercises. Board members should expect reports on these test outcomes, as well as details about how the plan will be updated based on what the tests may have revealed.

5. Establish a Disclosure Committee

It is advisable that publicly traded companies establish a disclosure committee that, among other things, is tasked with discussing cybersecurity risks or breaches and reviewing the accuracy, completeness and timeliness of financial reports or other public disclosures. Doing so provides a mechanism to elevate issues through the committee with the specific purpose of determining if a notification is triggered based on the nature and scope of a cyber incident.

Disclosure committee members and the finance department should review any new or ongoing cybersecurity investigations, determine the materiality of each incident under the SEC rules and decide if a disclosure is appropriate or required. This helps satisfy the SEC requirement that cyber incidents are being escalated for review and possible disclosure. The finance and security departments also should be involved in evaluating whether the issues being investigated may require restrictions on insider trading. Outside counsel can be helpful in making this determination if the disclosure committee is unsure whether the security issue meets the SEC’s materiality threshold and therefore requires disclosure in a public SEC filing.

Further, when the CSO is included at the executive table, he or she should report directly to the CEO for the purpose of escalating a review of security matters and reporting them to the board of directors on a quarterly basis.

Public companies are attractive targets for cybercriminals. Corporate boards, who are accountable to shareholders for a company’s health and financial performance, can expect growing scrutiny of their attention to cybersecurity, not only from the SEC, but also from legislators and the public. Directors must be diligent in helping companies evaluate risk so those companies are better prepared to address the daunting cybersecurity challenge.


Tags: Board of DirectorsBoard Risk OversightCyber RiskSEC
Previous Post

How the Women on Boards Movement is Disrupting Corporations for Good

Next Post

Confidence Falls as Cyber Threats and AI Add to the Challenges of Risk Management

Jayne Friedland Holland

Jayne Friedland Holland

Jayne Friedland Holland is Chief Security Officer at NIC Inc. (Nasdaq: EGOV), the nation’s premier provider of innovative digital government and secure payment processing solutions for more than 6,000 local, state and federal agencies across the United States.

Related Posts

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

shifting sands risk

Shifting Sands: Leaders Are Feeling the Pressure of an Uncertain, Dynamic Risk Landscape

by Jim DeLoach
February 22, 2023

The global risk landscape has rarely been more unsettled over the past half-century than it is right now, and a...

board tech purchase

Directors: Don’t Approve a Tech Purchase Without Asking These Questions

by Jean Hill
January 25, 2023

Board directors don’t need to be able to fix a broken server, but they do need basic technology competence, which...

Next Post
glowing polygonal head background with neurons, artificial intelligence concept

Confidence Falls as Cyber Threats and AI Add to the Challenges of Risk Management

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT