Data security a key boardroom concern for 2013: Study

Data security and IT risk are the newest areas of concern demanding the attention of company directors and general counsel, and the ones they’re most likely to lose sleep over this year, according to a study released last week by FTI Consulting and Corporate Board Member.  

Traditional issues such as executive pay, M&A activity and succession planning headed the list of things that directors and general counsel said they expect to spend the most time on in 2013, but cyber security may be more troublesome because corporate boards and legal departments are less confident about dealing with it, according to the findings of the 13th annual Law in the Boardroom Study. More than 25 percent of the 550 respondents to the survey earlier this year said that cyber risk will occupy much of their time this year.

Protecting against growing cyber threats and data loss can be costly and companies are often scrambling to respond. The average cost per year of cyber crime rose 6 percent to $8.9 million in 2012, fueled by attacks on websites, malicious insiders and denial of service, according to an October 2012 study by the Ponemon Institute cited in the FTI and Corporate Board Member study. 

Directors said they need more information about IT strategy risk, while general counsels said e-discovery and data management are areas they need to bone up on. GCs felt that board members are least effective in dealing with risk oversight regarding e-discovery and cyber risks, while directors had the same reservations about GCs in these two areas. Just one-third of GCs said they were ‘very confident’ in their company’s ability to quickly detect a data breach and conclude whether data had been compromised.   

FTI Consulting has seen a dramatic increase in its investigative work for companies dealing with cyber hacking, illegal access to sensitive and proprietary information, and transmission of confidential intellectual property secrets to foreign competitors or governments, Michael Pace, global co-leader of the global risk and investigations practice, said in the report summary. The high-tech, pharmaceutical and some government contractor segments are particularly susceptible to these risks. FTI Consulting can help companies inventory and map their IP assets, secure their data and test their networks and systems for gaps and deficiencies.

‘Board-level concern is complicated by the fact that IT infrastructure and underlying technologies are fairly opaque to board members and certain executives, so part of our role is to demystify technology in addition to our core investigative, remediation and prevention work,’ Pace said.

The study also found that a shockingly small portion of the respondents -- 35 percent of GCs and 25 percent of directors -- had discussed in the boardroom either the FCPA guide released recently by the Department of Justice and the Securities and Exchange Commission or the SEC’s 2011 guidance on disclosure on cyber breaches. The fact that 82 percent of GCs and 63 percent of directors agreed that boards should not publicly disclose internal investigations involving at least one member of the executive team was also illuminating. While there is no one, clear best practice regarding this, it’s something board members should discuss before such an event actually occurs, the study report said.