What keeps corporate Board members up at night? Cybersecurity threats.
This week, the Council of Institutional Investors met in Boston for its bi-annual conference. In the panel discussing cybersecurity risks it became immediately clear that companies should not be asking “if” they will be subject to a cyberattack but “when.”
Boards cannot “outsource” this risk. Even when using third-party vendors to handle their critical data, Boards need to know who has access to it and whether they are managing risk according to company standards.
Cyber risk has become a broad-based business concern for every company that cuts across other risks, including sensitive areas such as operations, reputation and brand, and customer privacy. One of the latest types of cyber threats has been hackers who capture company data and ransom it back to the company for a price. Companies must plan for such an event, no matter how unlikely it seems, and ask some hard questions. If someone captures your data and asks for money, will you pay? How will you pay? Do you have insurance policy coverage to address this modern-day piracy?
As panelists discussed these issues, several themes emerged. For one, a company’s chief risk officer must provide sufficient information to the Board to show what the formal response structure to the risk is in order to set the tone “at the top.” Second, each company must assess its “risk tolerance,” with some panel members suggesting that a “zero risk” tolerance is not feasible, even as a company admission that it’s willing to take risks with customer privacy is equally untenable. Finally, an appropriate response must use talent and resources to detect, communicate, and respond to cyber risks.
S.P. Slaughter
Follow me on Twitter: @SP_Slaughter
Related Attorneys
Partner
