The National Law Review has a great article on board member’s responsibility in the area of cyber security.
One quote from the article:
a 2012 Carnegie Mellon poll of how U.S. boards are managing cyber risks found that 71% rarely or never review privacy and security budgets, 80% rarely or never review roles and responsibilities, and nearly two-thirds rarely or never review top-level policies. Additionally, more than half of directors surveyed rarely review security program assessments. Every director should make cybersecurity a topic on the board’s agenda and ask questions if there is any confusion or doubt.
The National Law Review does not have anything to gain from their position, so I think it is wonderful that they are highlighting the board’s role in cybersecurity.
It seems like, with the exception of the JP Morgan Chase case, in the other major breaches of 2014 (Target, Home Depot and Sony), lax company policy and oversight in the area of cybersecurity was at least a contributing factor in each of these breaches.
Ultimately, the buck stops at the board of directors and given how ugly 2014 was from a cybersecurity standpoint and the fact that 2015 will probably be at least as bad, boards should be asking a lot of questions.