Though these calls for action, coming from multiple sources, suggest an insufficient awareness of business-crippling threats at an organization’s highest levels, available evidence tells a more complicated story:
While a sizable percentage of corporate boards have yet to fully engage in their companies’ cyber security operations, many large public companies have been addressing cyber security at the board level for the past few years.
Oversight at the Top
Wells Fargo, number eight on Forbes’ 2014 ranking of the 10 largest public companies in the world, for example, has included cybersecurity as a risk factor in its financial fillings since 2011. The following excerpt is from the company’s annual report for that year:
“Although we believe we have robust information security procedures and controls, our technologies, systems, networks, and our customers’ devices may become the target of cyber attacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of Wells Fargo’s or our customers’ confidential, proprietary and other information, or otherwise disrupt Wells Fargo’s or its customers’ or other third parties’ business operations.”
Recent efforts to elevate the oversight of an organization’s digital assets from the IT department to the business’s Board of Directors have been stepped up in response to an uptake in high-profile cyber attacks. Professional associations, government agencies and other voices in recent months have called for greater involvement from BoDs for the planning and execution of cyber security programs and strategies.
In a June 2014 address at the New York Stock Exchange, Security and Exchange Commissioner Luis A. Aguilar said that the corporate boards of US businesses needed to sharpen their focus on cybersecurity to lessen the frequency and aftermath of future attacks:
“Effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”
The National Association of Corporate Directors (NACD), a professional association with more than 14,000 members, in June published the Cyber-Risk Oversight handbook. The document, a collaboration of NACD, AIG and the Internet Security Alliance, provides corporate boards with advice on enhancing their oversight of cybersecurity risks.
Growing Public Awareness
Recent attacks on high-profile retailers and banks, as well as revelations of state-sponsored surveillance and espionage, emphasize the vulnerability of businesses and government agencies of all sizes.
Though the majority of recent public breaches have been focused on obtaining customer data, such as credit card information, security experts warn of the total shutdown of operational capabilities. Such attacks would not only impact the value of shares or the reputation and competitive standing of a business, they could also destabilize financial markets, defense systems or emergency services.
It’s no wonder, then, that a chorus of voices is calling for corporate boards to assign the same priority to cyber security as they do to other business risks under their oversight.
Stepping up Cyber Risk Activities
But are businesses getting the message?
Those at the top of the food chain seem to be — at least based on what they are telling their shareholders.
Similar to Wells Fargo, J.P. Morgan Chase added a cybersecurity risk factor to its 10-K filing in 2011. Exxon Mobile and Berkshire Hathaway, both named on Forbes’ 2014 largest companies list, included the disclaimer in their 2012 financial filings.
General Electric, somewhat surprisingly, given that it is not a major player in the financial services industry, issued a warning to shareholders in documents dating back to 2010.
It’s impossible to correlate the inclusion of cyber security risk factors in financial fillings with meaningful BoD oversight. Similarly, it’s unfair to make assumptions about the quality or effectiveness of a company’s digital defenses based on publicly revealed security breaches.
Of the top five largest public companies in the US, JP Morgan has been the most aggressive in promoting its cyber security activities in public documents. The company’s 2013 annual report includes an update from President, CEO and Chairman Jamie Dimon emphasizing the company’s commitment to digital security, including the construction of three “state-of-the-art Cybersecurity Operations Centers.”
Despite these efforts, which are estimated to exceed $250 million annually and involve 1,000 people by the end of 2014, according to the company’s most recent annual report, JP Morgan was the primary target of a recent and prolific cyber attack.
Mainstream Businesses Playing Catch-up
Research involving more mainstream businesses suggests sluggishness by BoDs to take on key cyber risk management tasks, such as reviewing budgets and assigning roles and responsibilities. A 2012 survey of more than 100 corporate officers from companies on the Forbes Global 2000 list conducted by Carnegie Mellon University found that only 33% were including computer and information security among their risk management responsibilities. Results from a more recent version of the biennial survey were not available.
Legal Actions against BoDs
The primary responsibility of directors, who are often not involved in the day-to-day operations of the public companies they serve, is protecting the interests of shareholders. Their own financial fortunes, though, might be greater motivation for BoD members to take a larger role in the protection of the company’s digital assets.
At least two lawsuits (Collier v. Steinhafel et al. and Dennis Palkon et al. v. Stephen P. Holmes et al.) have been filed this year that seek to place a portion of the responsibility for recent security breaches with company directors. The law suits charge board members and company officials with failing to take adequate measures to protect the digital assets of the business. The cases portend an erosion of immunity from dismissal or financial penalties resulting from cyber attacks at the board level.
For directors that have yet to heed the call to take on greater responsibility for cybersecurity, nothing is likely to get their attention faster than a potential attack on their pocketbooks.