Audit Committee Leadership Network, April 2014
On March 19, 2014, members of the Audit Committee Leadership Network (ACLN) met in New York to discuss cybersecurity, among other topics. In this session, members were joined by Mr. Joseph Demarest, assistant director at the Federal Bureau of Investigation (FBI) and head of the Cyber Division.
Mr. Demarest and the ACLN members touched on three main topics in their discussion of the rapidly changing domain of cybersecurity and its impact on business:
Update on the cybersecurity threat
In the short time since the ACLN last discussed cybersecurity, the seriousness of the threat has only increased. Adversaries have grown even more sophisticated in the tools they employ and in the planning and execution of their attacks. Attacks can originate in a fully commercialized criminal underground or in well-funded government espionage agencies.
Evolving company responses
Companies are scrambling to improve their responses to the evolving threat. Mr. Demarest and the members noted that many large companies are organizing their defenses more carefully, focusing on the critical assets that must be secure even if perimeter defenses fail and extending security policies to vendors, customers, and other partners. When a serious incident occurs, companies are trying to respond more quickly, with the leadership taking responsibility, especially when an incident becomes public knowledge. Some companies are considering retaliatory tactics, but Mr. Demarest advised caution in the face of unpredictable repercussions. The challenge of what to disclose about cybersecurity and cyberattacks is also evolving, as legislators and the Securities and Exchange Commission (SEC) focus more closely on the issue.
Working with the government
Governments are working hard to help companies defend themselves against cybersecurity threats, and the Obama administration has several major initiatives under way. ACLN members heard from Mr. Demarest that the FBI is improving its cooperation with other government agencies, both in the United States and abroad. He told members that they should expect sustained engagement from the FBI, including alerts about threats and unfolding attacks. He also urged companies to build a relationship with the government before they suffer a major attack, though he acknowledged the concerns that companies often have about sharing information. To help in keeping up with developments, he advised boards to reach out to technical experts within their companies.