Data breaches from cyber attacks have wreaked havoc on major industries in recent years. Prominent companies like Target, Anthem, Home Depot, JPMorgan Chase, and EBay have all been affected by targeted attacks. These attacks, which typically put individuals’ private identification numbers and payment methods in jeopardy, come at a great cost to corporations.
The Ponemon Institute found that, on average, each individual data loss costs a company approximately $154. Multiply that number by 83 million users, and JPMorgan Chase’s recent loss totaled in at around a staggering 12.78 billion dollars—and that’s just a rough estimate; the number is likely higher.
Obviously, these high-profile hacks and breaches have pushed cyber security to the forefront of board members’ concerns. According to PWC’s most recent Corporate Directors Survey, board members are becoming more engaged with IT strategy—namely cyber security risks.
The study states, “83% of directors describe themselves as at least ‘moderately’ engaged with overseeing the risk of cyber attacks.”
Although board members are increasingly aware of the threat of data breaches and other types of cyber attacks, few of them feel that their company is fully prepared to combat these threats. In fact, Spencer Stuart’s recent survey of audit committee members found that only 21% of corporate directors felt that their organization has cyber security risks well under control.
That leaves a sizable gap between the number of board members who are confidently thwarting cyber attacks and those who are simply aware of the risks involved.
Some boards are combating this issue by bringing an IT specialist onto their team—an issue that we covered on our blog not long ago. Others argue that board members should push CEOs and CIOs to invest in cyber attack prevention at the highest levels internally as most board members won’t have the expertise needed to combat these risks anyways.
Regardless of how boards decide to combat these attacks, it’s become increasingly clear that they must act in a direct way in order to avoid personal risk in addition to the ever-increasing cyber risks. According to The International Association of Privacy Professionals, lawsuits are frequently popping up and arguing that board members were “asleep at the wheel” in relation to cyber threats.
Dana Post of IAPP writes, “Target, for example, is now facing a shareholder derivative lawsuit…alleging Target’s board members and directors breached their fiduciary duties to the company by failing ‘to maintain proper internal controls’ related to data security and misleading affected consumers about the scope of the breach after it occurred.” Wyndham Worldwide Corporation is facing a similar lawsuit.
At Directorpoint, we encourage board members and companies to work proactively to prevent cyber attacks, rather than relying on a solely defensive strategy. Check out these tips from Spencer Stuart, which identify “five key aspects to the board’s role in managing cyber security risk.”