SEC Guidance to companies has been revised to further emphasize need for more robust public company disclosure of cyber risks and costs, although many public companies now do have extensive if predictable disclosure sections. And, in fact, directors need to have been on Mars to miss the clear implications of Equifax and Yahoo.
The National Association of Corporate Directors proposed, in its last Weekend Reader sent to members, some granular specifics which bear emphasis: directors need to make certain that the executive team regularly examines incident response and prompt disclosure policies where shareholder value may be materially impacted; boards should insist on immediate notification of incidents to make sure that directors and management do not trade securities on that information; management must be directed to establish a risk identification regime including identity of risks absolutely to be avoided and those to be accepted; and, staffing for mitigation needs to be identified and budgeted. Boards need to explore which risks should also be insured against.
One might think this is all basic board blocking and tackling, but with so many public failures having occurred, perhaps not. It also suggests that cyber needs to be on the agenda, at least for reiteration, for each board meeting, with an occasional deep dive.
Seems to me a board committee specific to cyber, or a specific delegation to a separate Enterprise Risk Management Committee, makes sense for many boards as a minimum to avoid a Caremark-style claim against directors for total disregard of the duty to supervise.