Why Cybersecurity Is a Board-Level Issue

Cybersecurity is no longer an issue that can be addressed by handing the IT guy the company AmEx and telling him to buy the latest and greatest antivirus software. Cybersecurity can’t be managed by a single individual with simple solutions. The threats are too sophisticated and the risks are too high. That’s why we’ve discussed the importance of incident response planning, putting your information security policy in writing, understanding what is covered by cybersecurity insurance, and staying up to speed on the latest data breach laws.

But how far up the ladder should cybersecurity go?

According to new research, cybersecurity is widely considered a board-level issue. In fact, a recent Palo Alto Networks survey found that three quarters of respondents agree or strongly agree that their organization’s board of directors has been actively involved in cybersecurity. These findings were reinforced by Gartner’s annual end-user survey for privacy and information security, which revealed that 71 percent of respondents believe IT risk management data had an impact at the board level.

Because of the severe damage that can be caused by a data breach, senior executives are now taking the fall in some cases, not just the employees or vendors who may have opened cyber doors for attackers. The CEO and CIO of Target were both fired after the company’s high-profile data breach that impacted 40 million customers. The Director of the U.S. Office of Personnel Management resigned after hacked personnel databases resulted in the compromised personal data of more than 21 million government employees and family members.

The takeaway here is that cybersecurity is a risk management issue that goes far beyond IT operations and requires board-level oversight. The fiduciary duty of the board of directors is to protect company assets. Those assets include proprietary information, trade secrets, the private data of employees and customers, and the company’s reputation. Directors don’t have to know how to install and configure a next-generation firewall, but they should have access to experts who can advise them on security strategies that can safeguard those assets.

But again, cybersecurity is not just about technology. Whether the board is directly involved in cybersecurity or forms a risk oversight committee for that purpose, there should be oversight of all security policies and processes, from the identification of threats and vulnerabilities to breach notification procedures to business continuity planning. The National Institute of Standards and Technology has released a voluntary Cybersecurity Framework of standards and best practices developed to reduce risk to IT infrastructure and data housed in that infrastructure.

Of course, downloading documents and understanding general principles are one thing. Implementing best practices in a way that addresses privacy, regulatory requirements and legal liability is something quite different. This is why boards of directors would be well-served to seek legal counsel to provide guidance on cybersecurity regulations and policies, which are constantly evolving and require frequent review and evaluation.

A breach can have serious financial repercussions, including lost sales, litigation and compliance fines. The negative publicity alone from a security incident can be staggering in terms of damage to a brand’s reputation. As a result, cybersecurity must be a priority at the board-level. It requires company resources, ongoing education and diligence, and the guidance of both IT security experts and legal counsel.