Luis A. Aguilar

Even in the face of the known risks posed by cyber attacks, many corporate boards are not taking the proper steps to address cyber-security issues, says a Securities and Exchange Commission official.

Speaking June 10 at the New York Stock Exchange, Luis A. Aguilar, an SEC commissioner since 2008, said, “Given the significant cyber attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber attacks, ensuring the adequacy of a company’s cyber-security measures needs to be a critical part of a board of director’s risk-oversight responsibilities.”

But he says even as the risks companies face have been front and center with recent high-profile attacks, “evidence suggests that there may be a gap that exists between the magnitude of the exposure presented by cyber risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.”

Even when boards do address the risks, Aguilar said the efforts fall short, such as failing to undertake “key oversight activities” like reviewing annual budgets for privacy and IT-security programs, failing to assign roles and responsibilities for privacy and security and not receiving regular reports on breaches and IT risks. 

Aguilar said boards should consider the National Institute of Standards and Technology’s (NIST) framework, released in February, as a roadmap. “The NIST Cybersecurity Framework is intended to provide companies with a set of industry standards and best practices for managing their cyber-security risks,” he said.

But a framework is only as good as those who implement it, said Aguilar, calling the NIST framework “a bible without a preacher if there is no one at the company who is able to translate its concepts into action plans.”

He said many boards “lack the technical expertise necessary to be able to evaluate whether management is taking appropriate steps to address cyber-security issues.”

Aguilar made recommendations such as mandatory cyber-risk education for directors, or at least having adequate representation by members with a good understanding of IT issues that pose risks to the company.

Boards could also create separate enterprise-risk committees, he said, that can “foster a ‘big picture’ approach to company-wide risk that not only may result in improved risk reporting and monitoring for both management and the board, but also can provide a greater focus—at the board level—on the adequacy of resources and overall support provided to company executives responsible for risk management.”

At a minimum, said Aguilar, boards should have a “clear understanding” of who in the company has primary responsibility for cyber-security-risk oversight.