Cyber Risk: The Board's Role - NACD BoardVision
On this edition of NACD BoardVision, Chris Clark, Publisher of NACD's Directorship Magazine and Lou Lucullo, Chief Underwriting Officer, Financial Lines, Americas Region at AIG discuss what directors can do to mitigate cyber risks, and who are the most vulnerable targets.
>> Christopher Clark: Hi. I'm Christopher Clark, Publisher of NACD Magazine and this is BoardVision. Today's topic is cyber in the boardroom, relatively prevalent. And I'm joined today by Lou Lucullo of AIG. Hi Lou.
>> Lou Lucullo: Hey Chris. How are you?
>> Christopher Clark: Let's rip some headlines from the Wall Street Journal, The New York Times. Every single day that headline has to do with cyber security, cyber criminals, cyber liability. And in your world at AIG I'd love to hear your perspective on that liability front.
>> Lou Lucullo: Cyber security is clearly one of the main issues facing Boards of Directors today. No longer can you rely on IT departments or even policies that might have been adequate only a year or two ago. Things have drastically changed and the landscape has changed and really that change has to be led by the top, which is the Board of Directors. The SEC is very active in it looking at how companies disclose cyber incidents, attempting to provide more guidance. Another area that's developed over the last two years or so, there was the framework that was established by the National Institute of Standards in Technology and that framework is a voluntary tool but a tool that boards should look at and measure themselves against and look at from a benchmarking standpoint. So today there's much more guidance out there for boards to look at and not simply rely on their IT department. But it's critical that boards become very active and not be complacent.
>> Christopher Clark: Well let me ask you this. I don't mean to interrupt but we just, our organizations is collaborate on a cyber-handbook.
>> Lou Lucullo: Yes.
>> Christopher Clark: And if you can, like in a nutshell, if we had done this five years ago and put out that high handbook, which has received great marks, to the one we just put out here in 2014 in terms of liability where would have been the key differences?
>> Lou Lucullo: You know, the publications that we did put out came up with about five recommendations for boards that probably five years ago boards would not take into consideration most of those. For instance some of them are insuring that you have looking at cyber preparedness as a enterprise risk management motive and not simply something that's done within the IT department. Another one is to insure that you have access to cyber experts. Other recommendations include really sitting down and understanding with management what risks the company's willing to take as opposed to risks that are just too severe when it comes to cyber exposure. And frankly some risk that it makes sense to transfer to an insurance company and understanding how insurance products play into a company's preparedness.
>> Christopher Clark: Let' me jump to exposure points and, you know, in your opinion you are the Chief Underwriting Officer. Where do you think it's going to come and it might be all three of these seconds, consumers, shareholders, regulators, where's the exposure point for directors?
>> Lou Lucullo: Chris it's really a perfect storm of all of those factors that you just mentioned coming in at the same time, which is very unique from a standpoint of different angles coming to directors and officers. Each of those parties that you mentioned are very, whether they're an impacted party because of the incident, whether they're a regulator who's attempting to insure that companies, public companies especially are adequately prepared and disclose the risk to shareholders. It's really coming to a head here. Banks are-- the banks that issue the credit cards to those that where information was breached incur the costs of replacing those cards and will, you know, sue a board of directors for those damages. You know, companies' shareholders will most likely immediately bring a derivative suit given that allegedly a board might have breached their duty of care after a breach has occurred. So really all three or four parties all have recourse against the board of directors so today's managing through cyber preparedness is one thing but reacting to an actual breach and what you do immediately after will really have impact as to how liable you are to these parties.
>> Christopher Clark: What would you recommend when a, you know, a board is having interactions with the CEO, with management on how best to handle that oversight responsibility?
>> Lou Lucullo: It really is a very comprehensive approach that's needed these days. In addition to just speaking with management, it's not just a listening and concurring exercise. It's taking in the information, ensuring there's enough outside expertise that is brought into the situation, running simulation exercises of an actual breach to test how prepared a company truly is. It goes much beyond just hearing from your own management as to how they think the company is prepared.
>> Christopher Clark: Lou I wanted to thank you for your insights and thought leadership today.
>> Lou Lucullo: Thank you Chris. It's a pleasure to be here.
>> Christopher Clark: On behalf of NACD and AIG thank you for viewing today. I'm Chris Clark and this is BoardVision.
View Other NACD BoardVision Episodes by TopicBoard Composition, Evaluation & Director Succession
Strategy & Risk
List all NACD BoardVision Episodes