SEC Commissioner Luis A. Aguilar talked about the role of the board of directors in managing cyber risks in light of recent data breaches that have generated media attention and raised public awareness.
He spoke Wednesday at the New York Stock Exchange, prefacing his remarks by saying his words were his own and not those of the SEC.
Between 2011 and 2012, he said, U.S. companies experienced a 42 percent increase in the number of successful cyber-attacks.
An attack hit Adobe Systems, Inc. in October 2013, affecting more than 38 million customer accounts, and two months later a cyber attack compromised the credit-card data of about 40 million Target Corporation customers.
There have also been numerous cyber attacks on the underlying the capital markets, including quite a few on securities exchanges, Aguilar said.
His advice: Boards must now engage compliance managers to review privacy policies, the sufficiency of IT budgets, periodic reporting of IT risks, who at the firm is responsible for various security protocols, and how breaches are reported.
He stressed that boards need to acquire the expertise to evaluate whether management is taking appropriate steps to meet their responsibilities for managing cyber risks. And boards must develop strategies for how an event could be disclosed, whether internally or externally to customers and investors, or both.
Julie DiMauro is the executive editor of FCPA Blog and can be reached here.