Cybersecurity represents a high-profile risk management challenge that corporations must address at the level of board of directors as a top priority. Minimizing cybersecurity risks is a critical fiduciary duty for directors as well as asset owners and other institutional investors.
The apparent Russian hacking to undermine the U.S. presidential election process should have raised the profile of cyberthreats to all significant companies and institutions, and should drive more attention to the exposure. At the very least, one director on every board must have cybersecurity expertise.
Cyberthreats expose investors to risks. For example, Verizon Communications Inc.'s proposed acquisition of Yahoo Inc.'s operating business is still at risk of termination over “security incidents disclosed” by Yahoo last month and in September, according to a Jan. 9 Yahoo filing with the Securities and Exchange Commission.
The vulnerability of even an Internet-savvy company such as Yahoo shows the challenge of protecting against cyber risks and responding to cyberattacks.
While most large companies and institutions, those most likely to be attacked by cyber criminals or vandals, have built protections against such attacks, without someone knowledgeable on their boards they cannot know if the companies' efforts are sufficient and keeping pace with the sophistication of the attackers.
Only 52 companies in the S&P 500 stock index have at least one director identified with cybersecurity expertise, according to data from ISS Analytics. The companies include Arthur J. Gallagher & Co., Boeing Co., Bank of America Corp., Bank of New York Mellon (BK) Corp. (BK), Chevron Corp., General Motors Co., Raytheon Co., State Street Corp. (STT) and Wells Fargo & Co. In all, there are 55 directors whose companies disclose them as having cyber competency.
Of the S&P 500 companies, the list amounts to about 1% of the 5,534 directors on boards of the companies.
Shareholders must do more to raise the profile of the issue at the board level by seeking board expertise, and through more disclosure initiatives. But shareholders have not generally so far embraced the issue in terms of proxy proposals.
In 2014, 2015 and 2016, only seven proposals were filed that called for a report on board oversight of privacy and data security. Four were withdrawn, and three came to a shareholder vote, all at American Express Co., with votes ranging from 78% to 78.8% to reject the proposal.
As a yardstick for gauging shareholder interest, the small number of proxy proposals indicates that cybersecurity hasn't been a priority. The lack of shareholder concern likely helps explain the inattention at the board level.
Even so, far more corporations must embrace cybersecurity at the board level as a basis for building a management infrastructure that can oversee corporate efforts to identify, prevent, and respond to cyberattacks. Corporations, with or without board-level expertise, must explain to shareholders how they manage the issue, and they must provide enough disclosure so shareholders can evaluate the cybersecurity approach.
Some boards leave it to audit committees to take on oversight of cybersecurity, but Mary Jo White, SEC chairwoman who announced in November she would step down at the end of the Obama administration, warned about the audit committee taking on an additional responsibility, thus diluting its core focus on financial concerns.
Beyond the competitive, financial and reputational pressures to minimize cyber risk, regulations are coming that will push corporations to strengthen cybersecurity.
The Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. on Oct. 1 jointly proposed rule-making to enhance cyber risk management standards at larger, interconnected financial service companies under their regulatory oversight.
In a comment submitted on the proposal, Reginald P. Best, president and chief product officer, Lumeta Corp., which provides cyber situational awareness analytics tools and services to seven of the largest financial services companies, said: “In our experience, covered entities have limited tools or processes to authoritatively evaluate their situational awareness. There is a false sense of security that organizations have that they know and understand what is happening on their networks.”
The proposal would require financial institutions that come under the oversight “to establish and maintain a corporate governance structure that implements the cyber risk management program on an enterprise-wide basis.”
SEC guidelines require companies to disclose material cybersecurity risks. But these guidelines, dating to 2011, need updating to stay up with cyber risks.
In 2015, a bill called the Cybersecurity Disclosure Act of 2015 was introduced in the Senate seeking to encourage “transparency in the oversight of cybersecurity risks.” It would require companies to disclose whether any director has cybersecurity expertise or, if not, why this expertise on the board is not necessary. The legislation was directed at enhancing disclosure to better inform shareholders and encourage companies to act, rather than requiring any such cyber expertise on boards.
The bill, which never made it out of committee, could be revived in the new Congress, considering the firestorm over the Russian hacking that heightened attention to cyber risk. Boards must keep pace with technology innovation and cyber risks.
PricewaterhouseCoopers in a 2016 report recommended companies develop a set of cybermetrics to assess risks and develop a framework for managing vulnerabilities. That is a good idea to begin to measure effectiveness because what gets measured gets managed.
Corporations have to demonstrate that they are adding board cyber competency, and disclose such moves to show shareholders they are doing so. Like corporations, asset owners and other institutional investors have a fiduciary duty to minimize unrewarded risk exposures and must embrace cybersecurity as a priority, and encourage companies they invest in, or that provide them with services, to do likewise.
This article originally appeared in the January 23, 2017 print issue as, "Get real on cybersecurity".