Industry groups offer guidance to executives and board directors on impact of cyber-breaches
IR professionals have been warned that cyber-hackers are taking aim at public companies in an attempt to lower share prices, causing growing concern from corporate directors.
Just 42 percent of board members feel confident or very confident their company is properly secure against a cyber-attack, according to a new advisory handbook issued by the National Association of Corporate Directors (NACD) and Internet Security Alliance (ISA).
‘This guide absolutely advocates taking a very proactive approach,’ says Larry Clinton, CEO of ISA. ‘We need to be focused on cyber-security on the front end, not just the back end… Some attackers are using attacks to generate publicity in order to manipulate stocks.’
The cost of cyber-attacks is expected to spiral to $6 tn by 2021 and the handbook warns that high-profile attacks could lead to shareholder derivative lawsuits accusing a company of mismanagement, waste of corporate assets and abuse of control. This has already been the case following the breaches at Target and Wyndham Hotels (as this article from Corporate Secretary outlines), although both companies successfully defended themselves from shareholder lawsuits.
‘Cyber-security is more than a technology issue,’ says NACD CEO Peter Gleason. ‘It’s a significant enterprise-wide risk and strategy issue that affects all organizations.’
NACD and ISA say boards should receive regular briefings on legal and regulatory issues specific to their company, and that these briefings should be recorded in the board minutes. In particular, they note the challenges arising when companies operate across borders, which require directors to understand varying public disclosure and reporting requirements.
‘Each company needs to understand its unique legal environment,’ says Clinton. ‘We advocate that boards should probably be receiving briefings on a quarterly basis and perhaps deep dives on the side.’
Officials from the US Department of Justice (DoJ) and US Department of Homeland Security (DHS) joined Gleason and Clinton at the launch of the handbook to make the case for collaboration with government agencies as an alternative to regulation.
Adam Hickey, deputy assistant attorney general with the DoJ’s national security division, says: ‘The largest ingredient for success is not legislation, regulation or policy. It’s our relationships with people every day in the private sector.’
The department plays a role in holding perpetrators of cyber-attacks accountable, but is also available to help organizations proactively develop a response to such invasions. ‘Our goal is to better understand the threat before an intrusion occurs,’ Hickey adds.
DHS also provides a variety of resources, including a 24/7 incident response watch center, breaking news alerts about new threats, a weekly bulletin and publications about both technical and strategic cyber-security planning. These are accessible at www.us-cert.gov.
Clinton says that, unlike in cases of corporate wrongdoing where the government stands in to protect consumers, in the cyber-security world, governments, consumers and industry are all on the same side. ‘The bad guys are out there attacking all of us, so it’s critical that we work together,’ he adds. While agreeing that it’s important for boards to have a firm grasp of legal and regulatory issues, he has reservations about the impact of rules: ‘The traditional regulatory model does not fit well for cyber-security because the technology changes too quickly.’