As evidenced by recent communications from the SEC, corporate boards are increasingly being made to bear ultimate responsibility when it comes to cybersecurity; while the management of cybersecurity risk is the responsibility of CEOs — who normally delegate much of the day-to-day management to a CISO or the like — the oversight of that management is the responsibility of directors.
Yet, despite what seems to be a decades-long barrage of daily news reports of cyberattacks wreaking havoc, when it comes to overseeing the mitigation of cyber risk, corporate boards often fail to perform as needed and intended. It is not hard to understand why such a problem exists; cybersecurity is a relative newcomer to the list of major risks that businesses face, and cyber risks evolve far faster than do other “classic” forms of risk, such as those related to accounting, legal, or physical dangers. The business world has far less relevant collective experience managing cyber risk than it does most other forms of risks — and there is even less wisdom that we can leverage from prior generations when it comes to actually overseeing the management of such risks.
Boards, of course, do not ignore…