July 31, 2014

Cybersecurity: Implementing the Framework

There has certainly been no shortage of attention paid to cybersecurity issues over the past couple of years, and one thorny issue that has plagued lawmakers and others is how to you compel companies to improve their cybersecurity efforts when there is no direct regulatory authority to do so.  As is often the case, the SEC comes to mind, because it is the one agency that has some regulatory authority over large companies across all industries.  Unfortunately, the SEC largely only regulates the disclosure by these companies (and, indirectly, through oversight of the stock exchanges, corporate governance standards), making it difficult to use the SEC’s powers to compel business decisions with respect to information technology resources.  As we all recall, the Staff’s cybersecurity disclosure guidance was one effort in this regard, and as Broc recently noted, enforcement cases may be another tool.  One tried-and-true tool is, of course, the bully pulpit, and Commissioner Luis Aguilar delivered a speech back in June expressing his views on what boards should do to ensure that their companies are addressing cybersecurity risk.  In Commissioner Aguilar’s view, cybersecurity risk must be considered as part of a board’s overall risk oversight responsibilities.  Commissioner Aguilar strongly recommended that companies consider the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology in February 2014, which is intended to provide companies with a set of industry standards and best practices for managing their cybersecurity risks.  Given that some have suggested the Framework will become a baseline for best practices by companies, Commissioner Aguilar expressed his view that boards should work with management to assess their policies against the guidelines in the Framework.  While the speech represented just the views of Commissioner Aguilar and not the Commission as a whole, it would certainly appear that the Framework is something that companies should review and carefully consider now, rather than after something bad happens to their information systems.

Tune in on September 16th for our webcast – Cybersecurity: Working the Calm Before the Storm – to find out what you should be doing now to address cybersecurity risks…

More on Implementing COSO 2013

Implementing the new COSO standard continues to be a hot topic, and Edith Orenstein recently recounted in FEI Daily’s Financial Reporting Column a program in which three financial executives described their implementation efforts to date.  One of the executive described the process as “evolution, not revolution,” and they all provided some practical tips on implementing the new standard.  For more background on the new COSO standard and the steps you need to take to implement the standard, take a look at the May-June 2014 issue of The Corporate Counsel.

More on “The Mentor Blog”

We continue to post new items daily on our blog – “The Mentor Blog” – for members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:

– SEC Warns On Incentivizing Employees to Only Whistleblow Internally

– JOBS Act Related Bills Move Forward

– Reg 506(b) Offerings Continue to Dominate Regulation D Practice

– “Does Your Board Have a Duty of Imagination?” Egads…

– Dodd-Frank Hammers Small Banks

– Dave Lynn