cybersecurity risk assessment

The National Association of Corporate Directors (NACD) recently released the results of its flagship 2017-2018 Public Company Governance Survey, which identifies key areas of concern for corporate directors. This year's survey results contain both troubling and encouraging findings concerning the current state cybersecurity risk readiness at public companies.

Not surprisingly, the survey of 587 corporate directors of 520 public companies identified cyber security threats among the top five trends predicted to have the greatest effect on companies over the next 12 months, trailing behind only risks associated with significant industry change, business model disruption, and changing global economic conditions.

|

The (Somewhat) Good News

The encouraging news from the survey is that boards seem to be slowly gaining a better understanding of cybersecurity risks, enabling them to better vet and question the information they receive from corporate management about cyber risks. This year, 15 percent of directors believe that their boards have very little or no knowledge of cyber risks, compared with 22 percent in 2015. By any measure, however, 15 percent is a remarkably high number for public companies concerning this critical risk.

On a brighter side, it appears that more of today's corporate directors are not blindly accepting internal reporting concerning their company's state of cyber readiness. Twenty-two percent of directors indicated dissatisfaction with the quality of cyber risk information they receive from corporate management. Those directors do not believe that they have adequate transparency into the company's cyber security problems or that the information they are receiving does not allow for effective internal and external benchmarking.

These should be critical areas of concern for every corporate director, as responsibility and liability for cybersecurity is beginning to reach board levels, as exemplified by the New York State Department of Financial Services (DFS) Cybersecurity Regulation, which contains explicit board responsibilities and mandates written certification of compliance with the regulation by the board or a senior officer. It is widely anticipated that other regulators will follow DFS's lead and adopt similar regulations, further increasing the cyber risk stakes for corporate directors.

|

The Bad News

The survey also contain some findings that have no silver lining. Only 37 percent of directors are confident or very confident that their companies are properly secured against a cyber attack, while 60 percent indicated that they are only slightly or moderately confident. Three percent responded that they are not at all confident. In the survey's Executive Summary, the NACD noted that the lack of board confidence “may be driven by the fact that existing defense systems quickly become obsolete when cyber threats mutate and companies adopt new technologies.”

|

Final Thoughts

This year's NACD survey provides an important reality check for directors and their legal counsel concerning the current state of board awareness and competence relating to cyber risk. Those risks are now firmly on the shoulders of today's corporate directors. Indifference to the risks or simply accepting internal reporting about them will not suffice, given their gravity and the financial, competitive, and reputational impact they can have on the enterprise. To protect themselves and their companies, corporate directors need to engage in active, engaged, informed, and documented oversight of cyber risks.

Judy Selby JD is a Principal of Judy Selby Consulting LLC and a senior advisor at Hanover Stone Partners LLC. She provides insurance consulting, cyber insurance analysis, and insurance coverage expert witness services, with a particular focus on cyber-related issues.