This is shaping up to be a record year for data breaches, which is more proof (if proof was needed) that many U.S. companies do a poor job of managing cybersecurity risk.
As a remedy, some have suggested that every publicly listed company be required to have at least one cybersecurity expert sitting on its board. During the current session of Congress, legislation was introduced requiring public companies to disclose whether any board members had such expertise.
The bill’s sponsors no doubt meant well, but the legislation falls short of what is necessary. Whether through legislation or other means, corporate boards must be made to understand that they own all risk facing their organizations.
To meet this responsibility, they must ensure that their organizations are committed to addressing cybersecurity and privacy risk, create a risk management program to assess and address such risk, and institute an organization-wide governance mechanism to ensure that cyber risk is managed appropriately, given an organization’s business objectives and risk environment. There must also be a mechanism for informing board members of an organization’s risk posture and what actions are…
