May 9, 2017

Cybersecurity: You’ve Been Hacked – You Just Don’t Know it Yet

This Protiviti article sets forth key considerations for directors to keep in mind in providing oversight for their company’s efforts to address cyber risk. One of those considerations is particularly scary – it is highly probable that the company is already breached and doesn’t know it:

The old thinking of “it’s not a matter of if a cyber risk event might occur, but more a matter of when” is dated. It’s happening — now. For most companies, cyber risk events have already happened and may still be underway. Yet many organizations do not have the advanced detection and response capabilities they need. The proliferation of data privacy regulations around the globe and the publicity about data breaches affecting politicians, governmental agencies, global financial institutions, major retailers and other high-profile companies, along with the growing presence of state-sponsored cyberterrorism and espionage, are leading directors and executives alike to recognize the need for “cyber resiliency” to preserve reputation and brand image.

Detection & monitoring controls are generally not well-developed, and that results in continuing failures to detect breaches on a timely basis. Boards should be concerned how long significant breaches have evaded detectionabout the duration of significant breaches before they are finally detected.

The article says that simulations of likely attacks should be performed periodically to ensure that they can be detected & responded to quickly. Boards should also focus on the adequacy of the company’s playbook for responding, recovering and resuming normal business operations after an incident has occurred.

Verizon’s Annual Data Breach Report

Recently, Verizon issued its 10th annual “Data Breach Investigations Report”. As always, it covers trends, vulnerabilities and incident patterns generally – not just for the company…

Also, as noted in this CAQ alert, the AICPA recently released a voluntary cybersecurity reporting framework – see this overview and this description of criteria for a risk program.

More on Our “Proxy Season Blog”

We continue to post new items regularly on our “Proxy Season Blog” for members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:

– Coca-Cola’s Usable Approach to the Annual Meeting
– 2016 Mini-Season Results
– More on “Shareholder Proposals – Do They Move the Market?”
– Shareholder Proposals: Do They Move the Market?
– Tax Disclosure: Investors Demand More

John Jenkins