What questions should public company directors ask about cybersecurity? (Part one)

Cyberattacks are an unfortunate reality of this day and age, and they pose a very real threat to companies across all industries. What’s more, the problem is only getting worse.

“The number, severity and sophistication of cyberattacks – whether on our retail economy, our healthcare sector, our educational sector or, in fact, our government and defense systems – grows worse by the day,” wrote Paul Ferrillo in the opening of a report for Weil, Gotshal & Manges released last month.

To cite just one example, a May report issued by New York Governor Andrew Cuomo and the state’s Department of Financial Services revealed that among the more than 150 banks that participated in the study, more than half reported having been targeted by cyberattacks. Hackers have reportedly used methods such as malware and phishing over the past three years with the goal of illegally obtaining access to bank accounts, data and customer identities.

As noted in Ferrillo’s report, titled “What Every Public Company Director Needs to Know,” public directors have a duty to protect their companies against risks related to cyberattacks, oversee cyber governance initiatives and maintain cybersecurity. The gravity of the issue is underscored by the fact that government entities have been stepping up their involvement – specifically, the U.S. Securities and Exchange Commission’s Office of Compliance, Inspections and Examinations, the Financial Industry Regulatory Authority, state departments of financial services and the Federal Trade Commission.

Action points for public company directors

As we wait for official guidance from these entities – which, as Ferrillo put it, each have “their own exhaustive list of factors or areas of examination/consideration” – Weil, Gotshal & Manges offered a list of 12 basic inquiries public company directors should be making while reviewing the cybersecurity frameworks in place for their firms. The first six are outlined below:

1) How should cybersecurity risk examination be handled by the board? Should it be addressed by the board as a whole or delegated to a particular committee? Is it important for a committee to be created for the sole purpose of handling cybersecurity? Do members of the board have sufficient experience in this regard?

2) How often should cybersecurity briefings be required for the board or committee? Quarterly? Monthly? Given the number of breaches that have hit the headlines of late, executives might want to make these meetings even more frequent, although this may depend on the industry in which the firm is operating.

3) Beyond simply advocating executive recruiting to ensure CTOs, CIOs and other members of senior management are willing and prepared to tackle the thorny issue of cybersecurity, should the board enlist its own cyber experts? The answer to this question depends on the expertise already available on the board.

4) Which among all of the company’s cyber assets are the most highly valued: Patient data, financial information, plans for future corporate initiatives? How well do the cybersecurity measures currently in place at the company safeguard these areas?

5) The banks cited by the New York Department of Financial Services’ report as being compromised by cyberattacks are hardly anomalies. When looking at an individual company, it’s important to consider its history with cybersecurity as well as its goals to protect itself in the future. How often has it been the victim of cyber incidents in the past? How severe were these incidents, and how long did they take to recover from? What did this cost, in terms of both money and time?

6) Nobody likes to think about the worst-case scenario, but sometimes a company’s worst nightmare can turn into reality, so it’s important for the firm to be prepared. What effect would a crisis have on the organization should it come to pass? Aspects such as reputation harm and financial losses should be considered.

Look out for the final six inquiries, which will be outlined in part two.

About Caldwell Partners

Caldwell Partners is a leading international provider of executive search and has been for more than 40 years. As one of the world’s most trusted advisors in executive search, the firm has a sterling reputation built on successful searches for boards, chief and senior executives, and selected functional experts. With offices and partners across North America and in London, the firm takes pride in delivering an unmatched level of service and expertise to its clients.

Back to Insights

Stay on top of the latest intel across multiple industries and continents.