By Matt Hamblen
Jan. 11, 2017
"Cybersecurity is the most significant governance challenge for the public and private sector," Ridge said. "It's not just the exclusive domain of the CIO and CTO and is now in the domain of the CEO and the corporate board."
"We're not trying to turn members of boards into technologists, but it will be a better way to understand the risks and broader implications of IT systems and how they impact all parts of business operations, from procurement to HR to supply chain, communications, mergers and intellectual property," he said.
Ridge said the training is intended to urge board members to make an attitude change in favor of greater scrutiny over cyber matters. "If your attitude hasn't changed about cybersecurity, then there's risk for your brand and reputation from a financial point of view," he added. "There's greater risk from SEC investigations over cyber and risk from litigation over cyber."
NACD, which has 17,000 members, recently surveyed more than 600 board directors and professionals and found only 19% believe their boards have a high level of understanding of cybersecurity risks. Also, 59% said they find it challenging to oversee cyber risk. The NACD and the Internet Security Alliance, a trade group, this week are issuing an update of a Cyber Security Handbook first issued in 2014 that has been endorsed by the Justice Department and the Department of Homeland Security.
Ridge also said that federal legislation to require companies to disclose computer hacks at the national level could be valuable to general counsels in large companies with operations in multiple states. Currently, there are disclosure laws in many states, but they are inconsistent. "General counsels in companies probably would like to see a uniform type of reporting, since disclosure varies from state to state," Ridge said.
Still, Ridge said that disclosure laws are "unfortunately at the tail end of the problem, after a company has been hacked. We're trying to minimize hacks. If companies rely on government to help them, that's misplaced confidence. Companies have the most significant responsibility."