Security Week: Why Cyber Security Oversight Belongs in the Board Room
Traditionally, cyber security has been considered the exclusive domain of IT and security operations departments, which were charged with the purchase and deployment of technology to defend against network intrusions. However, the long line of devastating data breaches at Target, JPMorgan Chase, Home Depot, and dozens of other established, respected brands is changing all that. Nowadays, the responsibility for the safety, security, and integrity of an organization’s network has shifted to executive management and boards of directors. For some though, the question remains why cyber security should be a board oversight issue.
Over the last few years, cyber threats have emerged as some of the most significant business risks facing organizations. For many, the Target breach was a watershed event. The subsequent law suits and settlements that totaled in the tens of millions of dollars revealed the scale of the financial impact associated with cyber-attacks. Since boards of directors have a fiduciary responsibility to preserve corporate financial value, these breaches were a rude wake up call. Meanwhile, the courts are holding businesses accountable for implementing appropriate security practices to protect consumers’ personal information. The Home Depot, which booked $161 million of its pre-tax expenses to cover a breach, including $19.5 million for the consumer settlement, is a good example.
In response, boards have started changing their view of cyber security as being a core function of IT management, and are now demanding that C-suites treat cyber threats as an enterprise risk that should be addressed from a strategic, company-wide, and economic perspective. They are now taking a very active interest in cyber security, and want to be kept informed of current and evolving risks, as well as the organization’s security preparedness and response plans. As a matter of fact, according to a recent study by accounting firm EisnerAmper (EA), directors of boards are most worried about cyber security risk (70 percent), reputational risk (66 percent), regulatory compliance risk (64 percent), and senior management succession planning (51 percent).
These results reflect the fact that boards now recognize that protecting against cyber-attacks and complying with evolving regulatory mandates is becoming more challenging and increasingly costly. As an example, the new European Union’s Data Protection Directive stipulates fines of up to 5% of a company’s global revenue, which creates a foundation for civil litigation. In cases where cyber security insurance is being considered as a regulatory fence against cyber risks, the boards’ risk committee is required to determine coverage for directors’ and officers’ liability, commercial general liability, prior acts, as well as property, and casualty insurance.
Read the full article on Security Week.