We recently published a paper on SSRN, Critical Update Needed: Cybersecurity Expertise in the Boardroom, that evaluates the quality of information presented by management to directors in advance of board meetings. Below is a reproduction of the text.

As part of its oversight responsibilities, the board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of proprietary or customer information. Unfortunately, general observation suggests that companies are not doing a sufficient job of securing this data. Data theft has grown considerably over the last decade. According to the Identity Theft Resource Center, the number of data breaches tripled from 2007 to 2016. The main contributor to this increase was theft by third-party hacking, skimming, and phishing schemes (see Exhibit 1).

(more…)