Our hyper connected world poses a governance and oversightchallenge for boards. Regardless of the industry or size, everyorganization is truly vulnerable to threats to its intellectualproperty and data. One misstep can cause untold costs fromcompromised data, loss of customer trust, diminished competitiveposition, fines, lawsuits and damaged reputation.

Recently, I moderated a panel for the National Association ofCorporate Directors on this topic. NACD's “Public CompanyGovernance Survey” reported that 87% of respondents felt that theirboard needed improvement in its knowledge of informationtechnology, including security. Moreover, this disquietextends to management. Deloitte recently surveyed 101 CFOs (most atcompanies with greater than $1 billion in revenues) and only 10%said they were well prepared for a major cybersecurity crisis,while almost 25% were insufficiently prepared.

Boards must effectively oversee and approve management ofcybersecurity risk planning. They need current and completeinformation about the company's overall data protectionprogram. Yet, a recent NACD survey found that only 12% ofboard members said they frequently receive briefings oncyber-threat mitigation. More than 60% of boards did not regularlyreceive such reports, and 26% rarely or never received them. Thesestatistics do not reflect well on boards and their effectivegovernance practices.

This combination of lack of knowledge and lack of information isa dangerous mix. More than ever, it is imperative that boards arewell equipped to handle the situation. A number of high-profiledata breaches have caused boards to deal with security issues thatthey once left to technology experts.

Directors too often are not conversant in data protection andcybersecurity. Some directors may find themselves struggling tofind the right balance between the basic understanding required foroversight and the much greater level of expertise needed fororganizational protection. Directors do not need to besubject experts; they are elected for their judgment. A director,however, must attain a sufficient level of knowledge to askmanagement suitable questions about cyber-risk mitigation, just aswith overall ERM. They must feel a sufficient level of comfort withthe subject to challenge the company's technical experts.Furthermore, dealing with such a difficult technical subject cancause the director to be uncertain of the line between fiduciaryoversight and management level issues. A director needs insight toavoid intruding on management's responsibility.

An educational program for board members will help. The board'sexisting advisors, especially those with industry-wide andmulti-company experience, such as independent auditors and outsidecounsel, can provide briefings. Other experts, such ascybersecurity firms, government agencies and industry associationscan also provide education. Some boards consider recruitingdirectors with cybersecurity expertise, while they keep in mind thebalance required among other needed skills.

The board must determine that management has carefully thoughtthrough cyber-risk in devising the organization's ERM plan. Just as board members may need a cyber-learning program, seniormanagement might need to up its game as well. A lack of technicalappreciation by senior management can result in sub-optimal cyberpreparedness, as well as inadequate communication to the board fromthe C-suite.

Moreover, senior management must make certain that they areadequately informed. According to a recent survey by the PonemonInstitute, which researches cybersecurity, about 60% of the 600 ITprofessionals it queried generally do not report cyber-risks untilthey believe them to be urgent – when the problem is then oftenmore difficult to handle.

Boards should be mindful of the legal risks posed bycyber-attacks, should one occur, especially as this is an evolvingarea of law. Attacks may generate lawsuits, includingallegations that the board neglected its fiduciary duty by failingto confirm sufficient cyber-risk protection. Cyber insurance mayhelp, but as with cyber-law, the cyber-insurance market is stillevolving.

The data protection team that management assembles must beproperly structured to be most effective. The team leader shouldhave cross-departmental authority; the CFO, COO or chief riskofficer are all possibilities. This leadership approach signalsthat data protection and cybersecurity is not just a technologyissue involving the IT cost center, led by the chief informationofficer. It is a critical, comprehensive company-wide riskmanagement issue that impacts the whole organization.

Cybersecurity affects all levels of business activity. Thenature of the threat is formidable because of its complexity andspeed of evolution. Directors need to continuously address it.Attentiveness by every board is required. Directors don't need tobecome experts but they do need to frame the right questions toprevent the potent degrading of a corporation from acyber-attack.

Stuart Levine is chairman and CEO of Stuart Levine &Associates and EduLeader LLC. He can be reachedat 516-465-0800 or [email protected].