NACD and ISA press board oversight on cyber-security

The National Association of Corporate Directors (NACD) and Internet Security Alliance (ISA) have called for greater board oversight regarding cyber-security, amid growing losses that are tipped to exceed $6 trillion by 2021.

Highlighting the degree of uncertainty around the topic, just 42 percent of board members feel confident or very confident that their company is properly secure against a cyber-attack, according to a new advisory handbook from the groups. The handbook is built around five core principles that ISA and NACD say boards should consider as they seek to enhance their oversight of cyber-risks, along with an expansive list of tools and resources for directors.

‘Cyber-security is more than a technology issue,’ says NACD CEO Peter Gleason. ‘It’s a significant enterprise-wide risk and strategy issue that affects all organizations.’

NACD and ISA say boards should receive regular briefings on legal and regulatory issues specific to their company, and that these briefings should be recorded in the board minutes. In particular, they note the challenges arising when companies operate across borders, which require directors to understand varying public disclosure and reporting requirements.

‘Each company needs to understand its unique legal environment,’ says Larry Clinton, CEO of ISA. ‘We advocate that boards should probably be receiving briefings on a quarterly basis and perhaps deep dives on the side.’


PRIVATE-PUBLIC COLLABORATION
Officials from the US Department of Justice (DoJ) and US Department of Homeland Security (DHS) joined Gleason and Clinton at the launch of the handbook to make the case for collaboration with government agencies as an alternative to regulation.

Adam Hickey, deputy assistant attorney general with the DoJ’s national security division, says: ‘The largest ingredient for success is not legislation, regulation or policy. It’s our relationships with people every day in the private sector.’

The department plays a role in holding perpetrators of cyber-attacks accountable, but is also available to help organizations proactively develop a response to such invasions. ‘Our goal is to better understand the threat before an intrusion occurs,’ Hickey adds.

DHS also provides a variety of resources, including a 24/7 incident response watch center, breaking news alerts about new threats, a weekly bulletin and publications about both technical and strategic cyber-security planning. These are accessible at www.us-cert.gov. 

Clinton says that, unlike in cases of corporate wrongdoing where the government stands in to protect consumers, in the cyber-security world, governments, consumers and industry are all on the same side. ‘The bad guys are out there attacking all of us, so it’s critical that we work together,’ he adds. While agreeing that it’s important for boards to have a firm grasp of legal and regulatory issues, he has reservations about the impact of rules: ‘The traditional regulatory model does not fit well for cyber-security because the technology changes too quickly.’