Cybersecurity a risk for boards of directors.

• Author: Burke, Kerry Shannon
• Position: Government Contracting Insights

* Reports and survey data clearly indicate that cyber attacks on businesses are pervasive and growing rapidly. Various reports estimated the annual cost of cyber crime in 2015 at $400 billion to $500 billion, an amount that quadrupled since 2013 and that is forecast to quadruple again by the end of the decade.

[ILLUSTRATION OMITTED]

Although this trend should be alarming for all companies, cybersecurity is particularly important for companies in the defense industry, which face significant regulation and reporting requirements with respect to their government contracts and heightened risk of sophisticated attack from hostile governments and non-state actors due to the highly sensitive nature of some of their programs.

In addition to posing fundamental business, security, contracting and reputational issues, cybersecurity presents a governance challenge for boards of directors. However, boards can take practical steps to reduce the possibility of a catastrophic cyber attack and defend their conduct in the wake of an event.

The best-designed network security plan in the world will be as ineffective as the compromised system on which it is saved if the board of directors is not committed to developing a corporate culture that takes cybersecurity seriously. This process does not require that directors become technical experts on such threats, but rather that the board emphasize and cultivate a culture of awareness and accountability throughout the organization. Steps that boards can take in this regard including the following:

* Ensure that cybersecurity is addressed by the board committee charged with risk oversight;

* Emphasize that responsibility for compliance with the cybersecurity plan and achievement of plan objectives is not a task for the information technology function, but instead an obligation that transcends the company's reporting structure;

* Mandate a company-wide cybersecurity training program and instruct management to review and update existing training programs to address new threats;

* Develop procedures to provide for timely internal reporting of cyber breaches and the discovery of new risks;

* Incorporate cybersecurity objectives into the incentive compensation structure for the CEO and other senior managers;

* Include cybersecurity oversight in director education programming and;

* Include experience managing cyber risks in director recruitment and in the board's evaluation of the skill set of the board as a whole.

As...