Corporate Boards Still In the Dark About Cybersecurity

As the U.S. natural gas pipeline sector and the Department of Homeland Security square off against malicious cyber intrusions aimed at companies, along comes yet another study that highlights serious governance shortcomings of critical infrastructure companies when it comes to cybersecurity.

The Governance of Enterprise Security: CyLab 2012 Report [PDF], released last week by Carnegie Mellon University, offers the first side-by-side comparison of industries on governance practices and cybersecurity oversight. Compared against the financial, IT/telecom, and industrials sectors, energy/utilities companies fared the worst.

Of the critical infrastructure respondents, the energy/utilities sector had the poorest governance practices, writes study author Jody Westby in Forbes (a co-sponsor of the survey, along with RSA). When asked whether their organizations were undertaking six best practices for cyber governance, the energy/utilities sector ranked last for four of the practices and next to last for the other two.

The energy/utilities sector responses, as reported by Forbes, broke down as follows:

71 percent of their boards rarely or never review privacy and security budgets.
79 percent of their boards rarely or never review roles and responsibilities.
64 percent of their boards rarely or never review top-level policies.
57 percent of their boards rarely or never review security program assessments.

The energy/utilities respondents also placed the least value on IT experience when recruiting board members, writes Westby, the CEO of the consultancy Global Cyber Risk.

Westby finds the energy/utilities results particularly troubling: What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity, she says. The sector is also heavily dependent on industrial control systems (known by the acronym SCADA), most of which were not designed for security and have no logging functions to enable forensic investigations of attacks, she adds.

The survey noted that overall, the financial sector has better privacy and security practices than other industry sectors. The financial sector got the highest marks on undertaking best practices, and respondents from those companies also indicated they are much farther ahead in establishing risk committees on the board: 78 percent said they had a risk committee separate from the audit committee, compared to 44 percent among industrials, 35 percent among energy/utilities, and 31 percent among IT/telecom.

The energy/utilities and the IT/telecom sectors were the least likely to review cyber insurance coverage79 percent and 77 percent, respectively, said they did not do so. Meanwhile, 52 percent of financial sector boards and 44 percent of industrial sector boards said they didnt perform a review.

But as the first round of CyLab survey findings published earlier this year revealed, governance around cyber risk is generally lacking. Despite holding extensive troves of digital assetsand bearing an explicit fiduciary duty to protect those assetsboards and senior management are not exercising appropriate governance over the privacy and security of their digital assets, according to the results.

These findings on board oversight dovetail with those of a 2011 study by the Center for Strategic and International Studies and McAfee, focused on power, oil, gas, and water companies around the world. That report, too, uncovered a similar dearth of preparedness.

What we found is that they are not ready, wrote the authors of last years In the Dark: Crucial Industries Confront Cyberattacks [PDF]. The professionals charged with protecting these systems report that the threat has acceleratedbut the response has not.

Those threats, as reported by company executives, increased substantially from the previous year. In the 2010 survey, nearly half of the respondents said that they had never faced large-scale denial of service attacks or network infiltrations, according to the authors. By 2011:

80 percent of respondents said they had faced a large-scale denial of service attack.
85 percent said they had experienced network infiltrations.
A quarter of respondents reported daily or weekly denial-of-service attacks on a large scale.
Nearly two-thirds said that, on at least a monthly basis, they found malware designed for sabotage on their system.

Featured Firms

Law Offices of Gary Martin Hays & Associates P.C.

75 Ponce De Leon Ave NE Ste 101

Atlanta, GA 30308

(470) 294-1674

www.garymartinhays.com

Law Offices of Mark E. Salomone

2 Oliver St #608

Boston, MA 02109

(857) 444-6468

www.marksalomone.com

Smith & Hassler

1225 N Loop W #525

Houston, TX 77008

(713) 739-1250

www.smithandhassler.com

Presented by BigVoodoo

More From ALM

As generative artificial intelligence inspires one of the biggest transformations in generations, Practical Guidance continues to provide the latest tips to help you prepare for the rapid evolution in the way attorneys work.

Practical Guidance Journal: Protecting Work Product in a Generative AI World

Brought to you by LexisNexis®
Download Now

The recent SEC release comes with significant changes for private fund managers. Hear expert insights on what happened, what it means, and what the compliance considerations are.

Countdown to Compliance: SEC Private Fund Reforms

Brought to you by Ontra
Download Now

Find out what features make a code of conduct most effective. Hint: it’s not just the rules.

9 Ethical Code of Conduct Examples for the Business Professional

Brought to you by LRN
Download Now

Premium Subscription

With this subscription you will receive unlimited access to high quality, online, on-demand premium content from well-respected faculty in the legal industry. This is perfect for attorneys licensed in multiple jurisdictions or for attorneys that have fulfilled their CLE requirement but need to access resourceful information for their practice areas.
View Now

Team Accounts

Our Team Account subscription service is for legal teams of four or more attorneys. Each attorney is granted unlimited access to high quality, on-demand premium content from well-respected faculty in the legal industry along with administrative access to easily manage CLE for the entire team.
View Now

Bundle Subscriptions

Gain access to some of the most knowledgeable and experienced attorneys with our 2 bundle options! Our Compliance bundles are curated by CLE Counselors and include current legal topics and challenges within the industry. Our second option allows you to build your bundle and strategically select the content that pertains to your needs. Both options are priced the same.
View Now

From Data to Decisions

Dynamically explore and compare data on law firms, companies, individual lawyers, and industry trends.

Exclusive Depth and Reach.

Law.com Compass includes access to our exclusive industry reports, combining the unmatched expertise of our analyst team with ALM’s deep bench of proprietary information to provide insights that can’t be found anywhere else.

Big Pictures and Fine Details

Law.com Compass delivers you the full scope of information, from the rankings of the Am Law 200 and NLJ 500 to intricate details and comparisons of firms’ financials, staffing, clients, news and events.

General Counsel Conference Midwest: SuperConference 2024

April 16, 2024 - April 17, 2024
Chicago, IL

Join General Counsel and Senior Legal Leaders at the Premier Forum Designed For and by General Counsel from Fortune 1000 Companies

Learn More

General Counsel Summit (GCS) 2024

August 12, 2024 - August 13, 2024
Sydney, New South Wales

General Counsel Summit is the premier event for in-house counsel, hosting esteemed legal minds from all sectors of the economy.

Learn More

General Counsel Conference Southwest 2024

September 18, 2024 - September 19, 2024
Dallas, TX

Join General Counsel and Senior Legal Leaders at the Premier Forum Designed For and by General Counsel from Fortune 1000 Companies

Learn More