As a board member, you are tasked with significant responsibilities. Beyond fiduciary responsibilities and setting the mission and vision of the company, you are responsible for the oversight of the entire organization. This is a broad remit; oversight of business and risk strategy, organization, financial soundness, and regulatory compliance is a tall order. In addition to serving as a general board member, you may chair or participate on board committees which have oversight on a specific discipline, such as an Audit or Personnel Committee. But does your board have oversight into the organization’s cybersecurity strategy? Does it have the skills necessary to ask the right questions and execute its oversight responsibilities effectively in this area?
Your hand may soon be forced. Senators Susan Collins, Mark Warner, and Jack Reed introduced S.536 which, if passed, would require boards to have cybersecurity expertise – or explain why they do not. The bill, tentatively known as the Cybersecurity Disclosure Act, is seeking “to promote transparency in the oversight of cybersecurity risks at publicly traded companies.” The bill directs the Securities and Exchange Commission (SEC) to issue final rules in concert with the National Institute of Standards and Technology (NIST) as to the required level of cybersecurity expertise and required level of participation.
Increasing Cybersecurity Incidents
As a board member, you may not be surprised to learn that there were over 53,000 reported security incidents and over 2,200 confirmed data breaches in the U.S. in 2017, per the 2018 Verizon Data Breach Investigations Report. It is very likely that this number is actually much higher, but companies have chosen to keep these incidents quiet – or may not be aware that they even occurred at all. Not all of these incidents were the result of board incompetence, of course. But could more proactive boards have asked the right questions in advance of these incidents? Might there have been an underinvestment in security? Are the right people tasked with managing cybersecurity? Is the right technology in place?
Cast your mind back to the horrific Equifax breach of 2017. Nearly every American with a credit report was affected in some way in that breach. Much was made at the time about Equifax’s then-Chief Security Officer Susan Mauldin having no formal education in IT (she was a music major) nor any professional credentials. But what is equally interesting is that the Equifax Board of Directors had no one with expertise in the field of cybersecurity who could challenge her. Ironically, their 2016 annual report details significant capital expenditures – $173.5 million – “used for […] investing in system reliability, security, and disaster recovery.” Consider this expenditure when remembering that Equifax was undone simply by failing to apply a patch to a vulnerable web server. Might that $173 million have been better spent on staff training and security testing?
Regardless of whether the Cybersecurity Disclosure Act ever becomes law, security incidents are teaching us that governance is more than filling a seat. Ensure your board has the expertise to protect its critical assets.
O’Connor & Drew, P.C. is a leading independent accounting firm in the northeast. Over 5 years ago, the firm created OCD Tech, the IT Audit & Security division, to advise companies on ways to best manage IT risk in an ever more chaotic environment. Our specialists can serve in an interim capacity on boards or train your board members to better oversee matters pertaining to IT security. Contact us today.
