Following each high-profile data breach, whether a mega breach involving a big-box retailer such as Target or Home Depot; a web services provider like Yahoo!; or consumer credit reporting agency such as Equifax, corporate boardrooms receive a potent reminder of their corporate responsibilities to their organizations’ customers and shareholders. Many cybersecurity consultants have noted that cybersecurity can no longer be viewed as an IT issue, but must be embraced as an executive responsibility that must involve all stakeholders, from C-suite executives to the boards-of-directors of their respective organizations. Indeed, as the threat to corporate information systems exponentially increases each year, creating a correlative risk of significant liability, expense and reputation harm to those organizations that are hacked, the recognition that, as a matter of corporate governance, cybersecurity programs and policies; risk assessment and management; and risk mitigation must be given priority by organizations is growing.
While recent surveys trend towards showing that corporations are implementing improved programs, policies and safeguards to protect against cybersecurity threats to their sensitive digital data, other surveys suggest that they might not be doing enough. In that regard, the results of a NYSE Governance Services and Diligent survey of directors of publicly traded companies suggest a possible disconnect between the progress actually being made by organizations to protect data and whether corporate directors’ communication practices may be undermining those efforts. For example, 92% of the directors reported using unencrypted personal email accounts, exposing sensitive corporate data to attack; 34% reported downloading corporate documents to their personal devices that similarly leave them susceptible to being lost, stolen or hacked and 62% of respondents indicated they are not required to undergo cybersecurity training.
Moreover, the lack of knowledge concerning the cybersecurity practices of the respondents’ corporations was surprising. In that regard, 40% of respondents reported not knowing if their companies conducted security audits of their respective boards’ practices and another 50% stated they did not know whether their cybersecurity teams monitor whether their boards adhered to their corporate communications guidelines. The NYSE Governance Services and Diligent Survey can be downloaded here.
As the effectiveness of any corporate cybersecurity program is only as strong as its weakest link, hackers have increasingly targeted directors, perceiving them as potential exploits due to their relatively poor cybersecurity hygiene and oversight, coupled with the fact that they have access to some of the most sensitive corporate information.
The NYSE Governance Services and Diligent survey reemphasizes the importance of cyber-training at the highest levels, including ensuring that communications with members of a company’s board are secure and that the members are aware of, and follow, the policies governing such communications.