The recently released Carnegie Mellon CyLab 2010 Corporate Governance survey confirms that there is little change in senior management’s views towards data security – it’s not really a priority. The CyLab annual survey, which measures board and management attitudes towards the protection of digital assets, is based upon results received from respondents at the board or senior executive level from Fortune 1000 companies. Given public filing requirements, you would think protection of digital and related intangible assets – which now comprise the bulk of a firm’s value – would be a top of mind issue. It’s not.
When asked to identify their boards’ three top priorities, “improving computer and data security” was not selected by 98% of the respondents. The respondents also indicated that their boards were not “actively addressing” IT operations or vendor management. In essence, privacy and security of data inside or at outside vendors is receiving little oversight from management.
Interestingly, 65% of the respondents also indicated that their boards were not reviewing their companies’ insurance coverage for data risks even though most standard policies offer little or no coverage. Standing alone, this approach may not be an example of sound business judgment given the availability of specific insurance policies able to cover loss or destruction of digital assets.
Not quite sure if this survey is a real wake up call or not. The only thing for certain is that these attitudes are hardly what one would consider a best practice. Sarbanes Oxley Section 404 requires a “top down” audit on internal controls which should provide some guidance on how digital assets are protected. Indeed, under 15 U.S.C. § 7262(a), the Section 404 report must “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” It is difficult to see how management can in good conscious sign off on these assessments while still maintaining that “improving computer and data security” is not a priority.
Notwithstanding how firms may perceive their Section 404 obligations, recognizing the potential “materiality” of computer security failings, Google, Intel, Symantec and Northrop Grumman recently added new warnings to their SEC filings informing investors of such risk. The fact that some companies have come forward to detail recent breaches and the possibility of future breaches should indicate to other companies the need to address this reporting issue in a more proactive manner. And, once risk disclosures are publicly made, the next obvious step is to ensure that proper protections are in place to address the risk. Reporting uncoupled with affirmative preventive action is simply fodder for class action litigation the next time an event takes place. What may be even worse is completely turning a blind eye to the entire problem.