Knowledge Center: Publication
Chief Executive Officer & Board of Directors
Breaching the silence on cyber security10/4/2013 David Boehmer and Krishnan Rajagopalan
For all the sound and fury, many boards spend surprisingly little time on cyber security. Here are 10 questions directors should be asking management.
For boards of directors, cyber security is no longer an IT issue but an urgent matter of risk management. The list of risks is long and getting longer: theft of intellectual property, breaches of customer information, denial of service, malicious code, viruses, disclosures of information by disgruntled employees, and more. Meanwhile, yesterday’s cyber vandals have been joined by a new generation of online über-criminals, by other groups working closely with governments intent on stealing trade secrets and passing them on to their nation’s critical industries, and by “hactivists” with a political axe to grind. In October 2011 the SEC issued guidance to the effect that cyber attacks should be disclosed if they had material impact on a company’s operations or finances or were among the factors that could make an investment risky. In February 2013, an executive order and accompanying presidential policy directive instructed government agencies to work on cyber security issues with private owners of critical infrastructure in the U.S.
Yet for all the sound and fury, many boards spend surprisingly little time on cyber security. According to the Carnegie Mellon Governance of Enterprise Security: CyLab 2012 Report, a survey of senior executives and corporate board members from the Forbes Global 2000 list, “only about one-third of the boards that are engaged with privacy and security issues are focusing on activities that would help protect against reputational or financial losses flowing from data breaches and theft of confidential and proprietary information.”
To some degree, the silence in boardrooms is understandable. Cyber security is a technically complex subject; the IT structure is largely opaque to most directors, and many board members judiciously refrain from speaking up on matters they don’t understand. But the issue is much more than an IT one — cyber security extends across nearly every action a firm takes.