27 Dec Corporate boards aren’t prepared for cyberattacks
CEOs, board members need to bone up on cybersecurity and not leave those matters to CIOs, analyst says
Threats against nationwide infrastructure, including the electricity grid, are “enormously serious,” she added. “Unless senior executives, corporate boards and other senior stakeholders get their act together, the threat actors will continue to win. I’m not sure how many more wake-up calls we need in this country.”
The survey also found that 59% of respondents find it challenging to oversee cyber risk. The nonprofit NACD, which has 17,000 members, is working with security awareness firm Ridge Global and Carnegie Mellon University to create a Cyber-Risk Oversight program to educate corporate directors about the systemic risks of cyberattacks.
Litan said such education is important, but she also supports state and federal laws to require organizations to report cyber attacks so that customers and partners will know to change passwords and make other adjustments to protect sensitive data.
“Having a requirement to disclose is a great motivator to increase security to prevent future attacks,” Litan said. “No one wants their names in the news. That’s what corporate directors are most worried about, in fact.”
A majority of states have data security breach notification laws, but so far there’s no nationwide provision. California first enacted its notification law in 2003, and other states followed suit.
At the federal level, a number of U.S. senators have backed breach notification laws, but no bills have passed congressional muster. President Barack Obama proposed such legislation in 2015. With the January inauguration of Donald Trump as the next U.S. president, it remains to be seen whether a federal breach notification law will take effect in the next four years, or longer.
One analyst, Jack Gold of J. Gold Associates, questioned whether a national breach notification law would be effective. “There are disclosure laws in many states and there are some government regulations that require disclosure, but I’m not sure it has any effect if companies lie about a hack or don’t disclose it,” he said.