For the first time in the 12 years the Law and the Boardroom Study has been conducted, the risk surrounding cybersecurity was chosen by the largest percentage of responding directors and general counsel as the top issue of concern.
The annual survey by Corporate Board Member, an information and education resource for senior officers and directors, and FTI Consulting Inc., a global business advisory firm, found that 55 percent of general counsel and 48 percent of directors listed data security as their primary concern, outpacing operational risk and company reputation.
“Today, there is arguably no more insidious threat to a public company than that of cyber risk; it’s invisible, ever-changing and pervasive—making it very difficult for boards to manage,” according to the report.
This level of concern has nearly doubled in the last four years: In 2008, only 25 percent of directors and 23 percent of general counsel responding to the survey identified cybersecurity as an area of high concern.
Cybersecurity threats affect companies and organizations of all sizes, from large business enterprises to small and midsize businesses. Depending on its business, the cost of a security breach could put an organization out of business and expose the hacked company to millions of dollars in litigation.
According to a 2011 study by the Ponemon Institute, the average breach costs a company $7.2 million or about $214 for each record that is hacked.
So how are companies coping with this challenge?
Even though data security is top of mind, the survey found that less than half of directors (42 percent) reported having a formal, written crisis management plan for data. More than one-quarter (27 percent) reported having no such written plan, and another third (31 percent) were not sure of the existence of a plan.
The survey asked general counsel to rate how well their board was managing cyber risk, and while the majority gave a positive response to the question, one-third (33 percent) believe their board is not effective at managing cyber risk.
Even in the absence of having a formal crisis management plan (or at least knowing whether the company has one), the vast majority of respondents were still comfortable with their ability to respond to a cyberattack. Seventy-seven percent of directors and general counsel believe their company is prepared to detect a cyberbreach should one occur, the survey found.
Corporate Board Member President TK Kerstetter noted concern about the apparent disconnect between having written plans and the perception of preparedness. “I hate to say this, but I think it is going to take several well-publicized security breaches before a supermajority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster,” he said in the report.
Legislation that would have created voluntary standards to guide companies in guarding themselves against cyberattacks failed this summer in the face of strong opposition from business groups who decried voluntary standards as a regulatory burden on business.
With such cybersecurity legislation stalled in Congress, Leonid Shtilman, CEO of IT security solutions provider Viewfinity, is urging businesses not to wait for specific cybersecurity law before implementing security technology, policies and training designed to protect valuable corporate and organizational information.
“It is very difficult to judge which countermeasures to put in place,” Shtilman told SHRM Online. “Several layers of protections are needed, from the very familiar antivirus and firewall mechanisms to less known but not less practical whitelisting and privilege management solutions.”
Roy Maurer is an online editor/manager for SHRM. To read the original article, please click here. To ve T