10/17/2014 Which Fortune 500 Boards of Directors are Taking Cyber Security Seriously?

are Taking Cyber Security Seriously? | | Inside BlackBerry for Business Blog

Home Enterprise | Security Which Fortune 500 Boards of Directors are Taking Cyber Security Seriously?

Which Fortune 500 Boards of Directors are Enterprise

Taking Cyber Security Seriously?

10.09.14 / Joe McGarvey
3 Comments

http://bizblog.blackberry.com/2014/10/taking-cyber-security-seriously/?utm_medium=social&utm_source=LINKEDIN_COMPANY:BlackBerry&utm_campaign=Enterprise&linkId=9948719 1/5
10/17/2014 Which Fortune 500 Boards of Directors are Taking Cyber Security Seriously? | | Inside BlackBerry for Business Blog

Directors of corporate boards are being challenged to take greater responsibility for cyber security, as well as being threatened by legal actions if they fail to
do so.

Though these calls for action, coming from multiple sources, suggest an insufficient awareness of business-crippling threats at an organizations highest
levels, available evidence tells a more complicated story:

While a sizable percentage of corporate boards have yet to fully engage in their companies cyber security operations, many large public companies have

http://bizblog.blackberry.com/2014/10/taking-cyber-security-seriously/?utm_medium=social&utm_source=LINKEDIN_COMPANY:BlackBerry&utm_campaign=Enterprise&linkId=9948719 2/5
10/17/2014 Which Fortune 500 Boards of Directors are Taking Cyber Security Seriously? | | Inside BlackBerry for Business Blog

been addressing cyber security at the board level for the past few years.

Oversight at the Top

Wells Fargo, number eight on Forbes 2014 ranking of the 10 largest public companies in the world, for example, has included cybersecurity as a risk
factor in its financial fillings since 2011. The following excerpt is from the companys annual report for that year:

Although we believe we have robust information security procedures and controls, our technologies, systems, networks, and our customers devices may
become the target of cyber attacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or
destruction of Wells Fargos or our customers confidential, proprietary and other information, or otherwise disrupt Wells Fargos or its customers or other third
parties business operations.

Recent efforts to elevate the oversight of an organizations digital assets from the IT department to the businesss Board of Directors have been stepped up in
response to an uptake in high-profile cyber attacks. Professional associations, government agencies and other voices in recent months have called for greater
involvement from BoDs for the planning and execution of cyber security programs and strategies.

In a June 2014 address at the New York Stock Exchange, Security and Exchange Commissioner Luis A. Aguilar said that the corporate boards of US
businesses needed to sharpen their focus on cybersecurity to lessen the frequency and aftermath of future attacks:

Effective board oversight of managements efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and,
ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.

The National Association of Corporate Directors (NACD), a professional association with more than 14,000 members, in June published the Cyber-Risk
Oversight handbook. The document, a collaboration of NACD, AIG and the Internet Security Alliance, provides corporate boards with advice on enhancing
their oversight of cybersecurity risks.

Growing Public Awareness

Recent attacks on high-profile retailers and banks, as well as revelations of state-sponsored surveillance and espionage, emphasize the vulnerability
of businesses and government agencies of all sizes.

Though the majority of recent public breaches have been focused on obtaining customer data, such as credit card information, security experts warn of the
total shutdown of operational capabilities. Such attacks would not only impact the value of shares or the reputation and competitive standing of a business,
they could also destabilize financial markets, defense systems or emergency services.

Its no wonder, then, that a chorus of voices is calling for corporate boards to assign the same priority to cyber security as they do to other business risks
http://bizblog.blackberry.com/2014/10/taking-cyber-security-seriously/?utm_medium=social&utm_source=LINKEDIN_COMPANY:BlackBerry&utm_campaign=Enterprise&linkId=9948719 3/5
10/17/2014 Which Fortune 500 Boards of Directors are Taking Cyber Security Seriously? | | Inside BlackBerry for Business Blog

under their oversight.

Stepping up Cyber Risk Activities

But are businesses getting the message?

Those at the top of the food chain seem to be at least based on what they are telling their shareholders.

Similar to Wells Fargo, J.P. Morgan Chase added a cybersecurity risk factor to its 10-K filing in 2011. Exxon Mobile and Berkshire Hathaway, both named on
Forbes 2014 largest companies list, included the disclaimer in their 2012 financial filings.

General Electric, somewhat surprisingly, given that it is not a major player in the financial services industry, issued a warning to shareholders in documents
dating back to 2010.

Loose Correlation

Its impossible to correlate the inclusion of cyber security risk factors in financial fillings with meaningful BoD oversight. Similarly, its unfair to make
assumptions about the quality or effectiveness of a companys digital defenses based on publicly revealed security breaches.

Of the top five largest public companies in the US, JP Morgan has been the most aggressive in promoting its cyber security activities in public documents. The
companys 2013 annual report includes an update from President, CEO and Chairman Jamie Dimon emphasizing the companys commitment to digital
security, including the construction of three state-of-the-art Cybersecurity Operations Centers.

Despite these efforts, which are estimated to exceed $250 million annually and involve 1,000 people by the end of 2014, according to the companys most
recent annual report, JP Morgan was the primary target of a recent and prolific cyber attack.

Mainstream Businesses Playing Catch-up

Research involving more mainstream businesses suggests sluggishness by BoDs to take on key cyber risk management tasks, such as reviewing budgets
and assigning roles and responsibilities. A 2012 survey of more than 100 corporate officers from companies on the Forbes Global 2000 list
conducted by Carnegie Mellon University found that only 33% were including computer and information security among their risk management
responsibilities. Results from a more recent version of the biennial survey were not available.

Legal Actions against BoDs

The primary responsibility of directors, who are often not involved in the day-to-day operations of the public companies they serve, is protecting the interests of

http://bizblog.blackberry.com/2014/10/taking-cyber-security-seriously/?utm_medium=social&utm_source=LINKEDIN_COMPANY:BlackBerry&utm_campaign=Enterprise&linkId=9948719 4/5
10/17/2014 Which Fortune 500 Boards of Directors are Taking Cyber Security Seriously? | | Inside BlackBerry for Business Blog

shareholders. Their own financial fortunes, though, might be greater motivation for BoD members to take a larger role in the protection of the companys digital
assets.

At least two lawsuits (Collier v. Steinhafel et al. and Dennis Palkon et al. v. Stephen P. Holmes et al.) have been filed this year that seek to place a portion of
the responsibility for recent security breaches with company directors. The law suits charge board members and company officials with failing to take
adequate measures to protect the digital assets of the business. The cases portend an erosion of immunity from dismissal or financial penalties resulting from
cyber attacks at the board level.

For directors that have yet to heed the call to take on greater responsibility for cybersecurity, nothing is likely to get their attention faster than a potential attack
on their pocketbooks.

About Joe McGarvey

An Enterprise Mobility Strategist at BlackBerry, McGarvey has covered the enterprise and telecommunications industries for more than 20 years as both a
journalist and analyst. He is best-known as a long-time principal analyst at leading market research firm Current Analysis. McGarvey has also been an analyst
for Heavy Reading and an editor at several leading technology magazines.

Follow

Follow Inside
BlackBerry for
Business Blog
Get every new post delivered
to your Inbox.

Join 198 other followers

Enter your email address

Sign me up

Build a website with WordPress.com

http://bizblog.blackberry.com/2014/10/taking-cyber-security-seriously/?utm_medium=social&utm_source=LINKEDIN_COMPANY:BlackBerry&utm_campaign=Enterprise&linkId=9948719 5/5