The board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of information. Unfortunately, recent experience suggests that companies are not doing a sufficient job of securing this data. In this Closer Look, we examine they types of cyberattacks that occur and how companies respond to them. We ask: What steps can the board take to prevent, monitor, and mitigate data theft? What data, metrics, and information should board members review to satisfy themselves that management has taken proper steps to minimize cyber risks? What qualifications should a board member have in order to constructively contribute to boardroom discussions on cybersecurity? How difficult is it to find board candidates with these skills?
Copyright held by David F. Larcker, Peter C. Reiss, and Brian Tayan. Further inquiries about reproduction and use should be directed to the Corporate Governance Research Initiative.