By: Mark Tarallo
On June 10, 2014, Commissioner Luis A. Aguilar of the United States Securities and Exchange Commission spoke at the New York Stock Exchange as part of the “Cyber Risks and the Boardroom” Conference. As Commissioner Aguilar noted, “[c]ybersecurity has become an important topic in both the private and public sectors, and for good reason. … Indeed, according to one survey, U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they experienced per week.” Commissioner Aguilar indicated that not only are attacks becoming more frequent, they are becoming more expensive, citing one survey that showed that the average annualized cost of cyber-crime to a sample of U.S. companies was $11.6 million per year, representing a 78% increase since 2009. Commissioner Aguilar concluded his remarks by stating quite clearly that boards of directors bear an increasingly heavy burden when dealing with cybersecurity, as “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.” Commissioner Aguilar laid out several steps for proactive boards to engage in, including working with management to ensure that corporate policies match up with NIST Cybersecurity Framework guidelines, creating an enterprise risk committee on the board to make sure that members are adequately educated, and preparing in advance for the “inevitable” cyber attack. Given the SEC’s recent enhanced focus on cybersecurity issues, Commissioner Aguilar’s remarks send a clear message to directors to embrace the responsibility of addressing cyber risk and adequately preparing for attacks.
The complete transcript of Commissioner Aguilar’s remarks can be found here.