Cyber­se­cu­ri­ty risks are grow­ing. As soci­ety pro­duces more lines of code, and every­thing – from cars to sex toys is becom­ing con­nect­ed: more vul­ner­a­bil­i­ties are pro­duced dai­ly, invit­ing more data breach­es. The costs asso­ci­at­ed with secu­ri­ty breach­es, most­ly rep­u­ta­tion­al, have increased in terms of legal and pure loss­es of rev­enues as well. The new oil, is not just data – its secu­ri­ty vul­ner­a­bil­i­ties trad­ed on legit­i­mate and out­lawed mar­kets.

The rapid­ly chang­ing cyber land­scape is cre­at­ing new types of cyber risks, which direc­tors sim­ply can­not con­tin­ue to ignore. If they do ignore them – they might be slapped with a share­hold­ers’ deriv­a­tive law­suit in the case of a breach, claim­ing that man­age­ment breached its fidu­cia­ry duty towards the cor­po­ra­tion by fail­ing to mon­i­tor the cyber risk.

Cyber is becom­ing a sub­ject reg­u­lar­ly dis­cussed in board rooms, and a crit­i­cal cor­po­rate gov­er­nance con­cern. Recent research done by the U.S. Nation­al Asso­ci­a­tion of Cor­po­rate Direc­tors (NACD) report­ed that while direc­tors acknowl­edge the impor­tance and promi­nence of cyber risks, they also believe that “their boards do not pos­sess suf­fi­cient knowl­edge of this grow­ing risk.”

In light of these find­ings, the NACD issued a new report detail­ing five key prin­ci­ples that direc­tors can adopt to enable over­sight over cyber­se­cu­ri­ty risks: (i) approach­ing cyber­se­cu­ri­ty as an “enter­prise-wide” man­age­r­i­al risk, (ii) under­stand­ing the legal impli­ca­tions of cyber risks, (iii) enabling access to cyber­se­cu­ri­ty exper­tise, and dis­cussing cyber risks in the board­room reg­u­lar­ly, (iv) estab­lish­ing an enter­prise-wide cyber-risk man­age­ment frame­work and (v) man­ag­ing cyber risks and terms of decid­ing which risks to avoid, man­age or mit­i­gate through cyber-insur­ance. Imple­ment­ing an inde­pen­dent mon­i­tor­ing sys­tem, such as Bug Boun­ty Pro­grams, could also enhance the direc­tors’ abil­i­ty to over­sight secu­ri­ty risks.

While the NACD report might pro­vide direc­tors with advice on how to over­see cyber risks, oth­er devel­op­ments in the “cyber-cor­po­rate” are­na sug­gest that direc­tors should take a more proac­tive man­age­r­i­al approach to cyber risks, one that requires them to have gen­uine exper­tise in this field.

First, New York adopt­ed a new com­pre­hen­sive cyber reg­u­la­tion for finan­cial ser­vices com­pa­nies reg­u­lat­ed under the New York State Depart­ment of Finan­cial Ser­vices, effec­tive March 1, 2017 (with a tran­si­tion peri­od, § 500.22). The new­ly adopt­ed 23 NYCRR 500 Cyber­se­cu­ri­ty Require­ments require cov­ered enti­ties, among oth­ers, (1) to con­duct peri­od­i­cal risk assess­ments, (2) to imple­ment a cyber­se­cu­ri­ty pol­i­cy that eval­u­ates the effec­tive­ness of the cor­po­ra­tions’ cyber­se­cu­ri­ty pro­gram and (3) to con­duct peri­od­ic pen­e­tra­tions test­ing and vul­ner­a­bil­i­ty assess­ments. Most impor­tant­ly, the 23 NYCRR 500 reg­u­la­tions man­date direc­tors to pay atten­tion to cyber laws, requir­ing the Chair­man of the Board or a “Senior Offi­cer” to per­son­al­ly sign the annu­al cer­ti­fi­ca­tion con­firm­ing com­pli­ance with the reg­u­la­tions, the Board or a “Senior Offi­cer” to approve the cyber­se­cu­ri­ty pol­i­cy, and the Board to receive annu­al reports from the chief infor­ma­tion secu­ri­ty offi­cer.

Sec­ond, a new bill pro­pos­al, the Cyber­se­cu­ri­ty Dis­clo­sure Act of 2017, seeks to man­date pub­lic com­pa­nies to dis­close to investors infor­ma­tion relat­ing to its direc­tors’ exper­tise and Read More on The Net­work

Source: The Net­work

Comments are closed.