As an increasing number of major retailers and financial institutions are falling victim to hacks like those against Target, Home Depot and JPMorgan, many experts say corporate boards aren’t doing enough to protect customers from cybersecurity breaches.While corporate boards are a step removed from companies’ day-to-day operations, the increasing risk of data breaches means that boardmembers need to be more involved in cybersecurity, observers say, whether by pushing for security oversight or reshuffling executives who don’t react properly to crises.
“We live in the post-Target era,” said John Kindervag, security analyst at Forrester. “There’s a moral obligation to consider firing an executive team because of a data breach. It’s a huge business failure.”
Corporate boards rarely review cybersecurity plans or involve themselves in the particulars of data protection, traditionally viewing security as an information technology problem. According to a PriceWaterhouseCoopers report released last month, just 42% of 9,700 executives in over 150 countries said their boards are involved in security strategy; just 25% said their boards are involved in reviewing security and privacy threats.
“They’ll say to the CEO, what are we doing about security, and then don’t get involved at all until they get breached,” says Avivah Litan, security analyst at Gartner. “Most companies don’t communicate at that level with the board. They’re out of touch and they’re totally clueless about information security.”
Securities and Exchange Commissioner Luis Aguilar put it more gingerly to board directors earlier this month at a New York Stock Exchange cybersecurity conference. “There may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks,” Aguilar said. There’s a discrepancy, too, between what shareholders demand of boards and what they’re actually doing — a survey published by Institutional Shareholder Services (ISS) last month shows that nearly 70% of shareholders view board oversight actions prior to hacking incidents as “very important.”
Negligent boards may find themselves facing questions from angry shareholders and customers after a cyber breach. In June, ISS made the unusual recommendation that Target shareholders oust seven out of 10 members of its board after credit card information belonging to 40 million customers was compromised, laying blame on two board committees in particular.
“The data breach revealed that the company was inadequately prepared for the significant risks of doing business in today’s electronic commerce environment,” ISS advised. “The responsibility for oversight of these risks lies squarely with the Audit Committee and the Corporate Responsibility Committee.” Shareholders re-elected the board, but ISS’ condemnation was a wake-up call for retailers. Target is now facing an investigation from the Federal Trade Commission into the details of the breach.
Home Depot, meanwhile, was a founding member of a threat-sharing group of major retailers earlier this year, and its board received regular updates on cybersecurity, according to a spokesman. “IT and IT security have regularly been items on our board meeting agendas for several years now, and the board has received regular updates on the breach since it occurred,” said that spokesman. But the hardware retailer was caught flat-footed by a data breach this year that jeopardized 56 million customers’ credit cards, and managers ignored weaknesses in cyber defense before the attack, the New York Times reported last month.
Analysts say a strong board of directors should know how to ask management the right questions about cybersecurity. “The board is not responsible for identifying risk, but it sure as hell needs to know that management understands that responsibility and knows how to respond to it,” said Rick Steinberg, former governance practice leader at PricewaterhouseCoopers.
Ultimately, it might be a financial motivation that gets corporate boards to take a closer look at their firms’ cybersecurity standards. Target’s net income dropped more than $400 million in the quarter the breach was announced compared to the year before; the company said direct costs from the data breach would reach $148 million in the second quarter of 2014 alone. The total expense of any breach, including lost profits from nervous consumers, are often incalculable. “A data breach is the equivalent of an oil spill,” said Kindervag. “It’s a fundamental business issue.”