Cybersecurity should be a primary concern for businesses, as one breach can cost a company approximately $7 million in fines, settlements and external resources. In a recent survey, 58 percent of board members felt cybersecurity was important, but only 37 percent reported that they were confident in the practices they had put into effect.
On Nov. 13, Troutman Sanders hosted its Annual Public Company Seminar and, this year, offered a panel dedicated to cybersecurity. The panel focused on the Board's role in overseeing cybersecurity exposure and featured a presentation from San Francisco Associate Sheila Pham and discussion from clients Jan Davidson of Delta Air Lines, Myra Bierria of The Southern Company, and Jason Bevis of Cylance Consulting. Atlanta Partner David Chaiken moderated.
Pham kicked off the panel by emphasizing that, in today's technology-based business economy, data incidents are almost inevitable, and that cybersecurity needs to be a primary focus for public companies. When a company fails to put solid cybersecurity practices in place, they risk serious implications, including tarnishing their reputation, a reduction in shareholder value and investigation by the FTC.
Pham presented a four-pronged approach to establish cybersecurity best practices for boards of directors. Best practices include:
- Education: understanding threats, issues at stake and key elements of a cybersecurity plan
- Communication: staying informed, engaging with senior IT executives and CISO (chief information security officer)
- Balance: conducting periodic tabletop exercises, awareness of available external and internal resources
- Audit and Review: annual audit of cybersecurity plan, defenses and budget, evaluation
Pham noted that the companies best prepared to handle a cybersecurity incident are those that can address events with accuracy and speed, are both transparent and accountable, and utilize the services of third-party firms to beef up cybersecurity efforts.
During the panel discussion, Delta's Jan Davidson said that knowledge about IT and cybersecurity practices was "not optional" for her company's audit committee. Delta encourages internal education on cybersecurity matters through both company-based programs, annual meetings with the CTO (chief technology officer) and CISO and external training through the National Association of Corporate Directors (NACD).
In discussing the cybersecurity measures in place at Southern Company, Myra Bierria said that a Business Security Committee, currently a subcommittee of the company's Operations and Environment Safety Committee, is in place that deals not only with data issues, but also with operational-based scenarios. The committee comprises subject matter experts who have top security clearance with the government and conducts tabletop exercises internally and externally on both a regional and national basis. The CISO puts out quarterly reports and meets with the company's CEO three times a month to review developments.
As an outside consultant to companies navigating cybersecurity issues, Jason Bevis of Cylance Counseling said that he generally interacts with their boards in one of two ways. The first is on an ad-hoc basis, where he delivers presentations, builds programs and gets boards up-to-speed on current issues. The second is more of a scheduled frequency, such as advisory boards, to gain knowledge of new developments. Other companies schedule quarterly meetings, looking for advice in dealing with new threats and how to detect them. Bevis noted that companies are moving toward a more preventative mindset in their cybersecurity strategies and working harder to mitigate the impact of cyber incidents.
As a company is judged on how it responds to a data incident, it's of the utmost importance to have a solid cybersecurity plan in place to deal with breaches, ransomware threats and other data incidents. From the responses of the speakers at this panel, it seems that this message is coming through loud and clear.