Recent global cyberattacks have rudely reminded corporate America that cybersecurity risk management must be at the top of the board of directors’ corporate governance agenda. Companies have no choice but to prepare proactively, while directors must understand the nature of cybersecurity risk and prioritize its oversight. Preparation, monitoring, emergency response, and disclosure are topics that boards should consider regularly to properly oversee cyber-risk management. Boards should receive periodic updates from management and its expert advisors on the rapidly developing regulatory cybersecurity environment and on the company’s compliance with applicable cybersecurity standards.
Regulatory Environment
A wide range of regulatory efforts are underway with respect to cybersecurity. President Trump signed an executive order this month requiring federal agencies to proactively assess and manage their cybersecurity risks; while the order does not apply to public companies, it highlights the importance of vigilant attention to addressing cyber threats. Federal banking regulators are in the process of establishing cyber-risk management standards for major financial institutions. And on Capitol Hill, a draft bill was introduced last year that would apply Sarbanes-Oxley certifications and internal controls requirements to a company’s information and technology systems and cybersecurity-related controls; while its passage is unlikely, it indicates legislative attention to this issue.
