Former S.E.C. Commissioner Continues to Sound the Clarion for Better Corporate Governance Regarding Cyber-Risk


By: John Goselin

For years now, Louis Aguilar has been speaking, cajoling and encouraging American businesses of all sizes to focus their attention on cyber-security and mitigating the cyber risks inherent in conducting business in this modern technological era.   Although his tenure as a Commissioner of the Securities and Exchange Commission officially ended in June 2016, Mr. Aguilar continues to speak thoughtfully regarding the issues faced by business management, board of directors and the critical role of the Chief Information Security Officer (CISO) in American corporations.

On September 22, 2016, Mr. Aguilar spoke at the Security Alliance Advisors’ Annual Leadership Summit and provided his current thoughts regarding how the CISO can assist directors of businesses of all sizes understand the corporate risk presented by cybercrime.  His full remarks can be found here.

Much of what Mr. Aguilar has to say harkens back to the S.E.C.’s March 26, 2014 Roundtable regarding Cyber-Risks, but since the risks and costs associated with cyber-attacks only increases year after year, Mr. Aguilar’s ideas and concepts bear repeating:

  • Board of Directors need to educate themselves regarding the cyber risks that threaten the business that they are overseeing;
  • Board of Directors and business executives should become familiar with the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (“NIST Cybersecurity Framework) which the government is advocating as best practices for cybersecurity;
  • The CISO should play a critical role in modulating the information being provided to the Board of Directors to ensure that the Board is adequately informed, but not overwhelmed with technical details.

Cyber Security is not simply an IT problem.  Managing Cyber Risk is a critical part of a board of directors overall duty to monitor a business’s risk profile.   Cyber risks are no less important than credit risks, liquidity risks or operational risks.  It has long been recognized that the CEO and CFO of a corporation have a special, close relationship to their board of directors.   The time has come to recognize that the CISO is every bit as important as the CEO and CFO.