By: Carl Kampel
The evolving role boards of directors play in addressing cybersecurity was discussed recently at a roundtable hosted by the SEC. Commissioners asked whether cybersecurity matters should be addressed by audit committees or whether boards should be required to have risk committees with a cybersecurity expert just as audit committees are required to have a financial expert. While no consensus was reached, panelists noted that this decision should depend on the nature of a company’s operations and the magnitude of the cybersecurity risk to those operations. In response to a February 12, 2013 executive order, the Commerce Department’s National Institute of Standards and Technology (NIST) issued a Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014 http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf. While organizations that operate critical infrastructure are not required to adopt the framework, they will be encouraged to do so. Moreover, the framework identifies current best practices and provides a process that any company can use to identify gaps in its cybersecurity. Panelists generally supported the SEC staff’s guidance in CF Disclosure Guidance: Topic No. 2, Cybersecurity, http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm in determining the need for disclosure of cyber incidents.