by Edward Stroz and Carl S. Young
Edward Stroz
Those of us who are board of director members and who also advise boards on cyber security risk management have been subjected to a steady drumbeat regarding our responsibility to ensure appropriate board oversight. Recent cyber risk management guidance from the US Securities and Exchange Commission (SEC) is just one of multiple examples of enhanced requirements regarding security disclosures by public companies.
Boards of directors are certainly capable of assessing cybersecurity risk when each member is appropriately informed on the relevant issues. Unfortunately, communications about cybersecurity risk are frequently neither informative nor clear to the intended audience. To fulfill their governance responsibilities and to overcome this communication gap, boards must identify cybersecurity priorities in the near term while ensuring the underlying drivers of cybersecurity risk are addressed in the long-term by the risk management strategy. In our view, to accomplish these near and long-term objectives requires three areas of focus.