Board of Directors Exposure • Target

– 4 shareholder derivative lawsuits filed against directors, naming 13 directors and officers, asserting breach of fiduciary duty and waste of corporate assets.

• Wyndham– Lawsuit dismissed; Directors showed reasonable

investigation

Make data privacy and data security and the resources devoted to these areas, regular topic of discussion at board meetings.

* Hogan Lovells, Chronicle of Data Protection, 1/23/15

Sample Concerns Driving Boardroom Conversations

• Verizon 2013 Data Breach Report – 162 companies– Size doesn’t matter: more than 50% had < 1000 workers

– SMB see security as a medium high priority• Only 75% admitted sufficient knowledge to assess

– 1/3 of the companies security budget <10% total IT budget

• Mandiant Threat Report – 2014– 2/3 of breached companies notified by external parties

– 229 days (average, improved 13 days) to detect breach

– 44% of phishing emails impersonate internal IT

– Political threats: example, Syrian Electronic Army

– Iran: targeted Saudi Aramco, RASGAS

Sales growth is healthy

Effective controls are

in place

What about Cyber

Security?

Manufacturing safety metrics

are in line

“ Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly

under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cyber security measure needs to be a critical part of a

boards of director’s risk oversight responsibilities.”SEC Commissioner Luis A. Aguilar, June 2014

National Association of Corporate Directors (NACD)

Five principles:1. Directors need to understand and approach cybersecurity as an

enterprise-wide risk management issue, not just an IT issue.2. Directors should understand the legal implications of cyber risks as

they relate to their company’s specific circumstances.3. Boards should have adequate access to cybersecurity expertise,

and discussions about cyber-risk management should be given regular and adequate time on board meeting agenda.

4. Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.

5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance as ell as specific plans associated with each approach.

Six Questions the Board Should Ask*:1. Does the organization use a security framework? (ex;

ISO 27001)2. What are the top five risks the organization has

related to cybersecurity?3. How are employees made aware of their role related

to cybersecurity?4. Are external and internal threats considered when

planning cybersecurity program activities?5. How is security governance managed within an

organization?6. In the event of a serious breach, has management

developed a robust response protocol?* Institute of Internal Auditors Research Foundation