Now being discussed in a corporate boardroom near you.
[And if it’s not being discussed, it should be!]
Article by Danny Yadron in WSJ, The Wall Street Journal.
Emphasis in red added by me.
Brian Wood, VP Marketing
Corporate Boards Race to Shore Up Cybersecurity
Directors Grapple With Issues Once Consigned to Tech Experts
After a series of high-profile data breaches and warnings, corporate boards are waking to cyberthreats, grappling with security issues they once relegated to technology experts.
Computer hacking is on the agenda these days when Kellogg Co. ‘s directors meet, alongside more conventional topics like cereal trends and the company’s reliance on Wal-Mart Stores Inc.
Kellogg’s management is especially worried that cyberattackers might try to steal the company’s know-how, like the way it puts the “Snap, Crackle and Pop” in Rice Krispies or the curve in Pringles potato chips, according to two people briefed on its computer defenses.
To guard against such threats, Kellogg’s board in 2012 created a dedicated security group and hired the company’s first chief information-security officer, according to slides for a company presentation that were viewed by The Wall Street Journal.
Directors at Tyson Foods Inc. are briefed yearly on cybersecurity, “as well as on an as-needed basis,” said a spokesman for the meat and poultry processor. Exxon Mobil Corp. Chief Executive Rex Tillerson boasts privately about testing his employees to see if they respond to suspicious emails that might be hacker tricks, a person who recently met with him said. In 2011, Delta Air Lines Inc. added a board member because of his “substantial expertise in the information-technology-security industry,” according to a company filing.
Even before hackers stole 40 million credit- and debit-card numbers from Target Corp. stores last year, Wal-Mart directors received frequent rundowns from outside consultants on cyberthreats, including gangs of Russian-speaking hackers who target payment-card data, a person familiar with the meetings said.
A Wal-Mart spokesman didn’t dispute that account.
So far this year, 1,517 companies traded on the New York Stock Exchange or Nasdaq Stock Market listed some version of the words cybersecurity, hacking, hackers, cyberattacks or data breach as a business risk in securities filings, according to a Wall Street Journal analysis. That is up from 1,288 in all of 2013 and 879 in 2012.
Still, federal officials and others say many companies remain ignorant of, and unprepared for, Internet intruders.
“There may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks,” Securities and Exchange Commissioner Luis Aguilar told directors earlier this month at a cybersecurity conference at the New York Stock Exchange.
The same week, nearly 100 board members and top executives met in Chicago for the first cybersecurity summit of the National Association of Corporate Directors. They heard a former official of the Federal Bureau of Investigation and representatives of federal agencies warn that many companies aren’t prepared for Internet intruders.
Some attendees at the Chicago conference bemoaned their inability to understand their own tech employees. Others worried because bloggers often learn of data breaches before executives at the affected companies.
Attendees said they now appreciate that cybersecurity can affect job security. After Target’s data breach and other missteps, the company fired its chief executive, and its chief information officer resigned. A shareholder advisory firm recommended dumping most of the board. Target investors, however, recently re-elected all 10 of the retailer’s directors.
If the firm’s recommendation to oust the board “doesn’t rattle directors’ cages, nothing will,” said Gerald Czarnecki, a director at State Farm Mutual Automobile Insurance Co. As head of the audit committee there, Mr. Czarnecki recently devoted two-thirds of a 4-hour meeting to information security, more than he has in the past.
He declined to elaborate.
Even among companies that have elevated cybersecurity to a boardroom issue, most are loath to discuss details, for fear of attracting or tipping off would-be attackers.
A longtime banker, media executive and leadership consultant, Mr. Czarnecki, 74 years old, said he and his peers aren’t always fluent in the technology of computer defenses. “Most people in this room have gray hair,” he said at the directors’ summit. “It’s like having someone who has never paid any attention to their health talk to a doctor.”
When Ellen Richey, Visa Inc.’s chief enterprise risk and legal officer, meets with the board members of client companies, she often struggles to persuade them to encrypt more data. The process makes it harder for hackers to break in but can slow down computers as they scramble and unscramble encrypted data.
“It’s a human problem,” Ms. Richey said. “It’s a business-process problem.”
At a conference last year, Steven Young, Kellogg’s chief information security officer, said the company was less worried about hackers stealing recipes than theft of its production processes, such as “how we get the curve in a Pringle,” said a person who heard his presentation. Prior to joining Kellogg, Mr. Young worked at defense contractor Lockheed Martin Corp. and other companies, according to publicly posted biographies.
Kellogg makes sure certain trade secrets about how it makes cereal are stored on a machine that isn’t connected to the Internet, said one of the people briefed on the company’s computers defenses. American spy agencies sometimes use the same tactic to wall off classified information from intruders.
“Information on our recipes, including where they are stored, is proprietary,” said Kris Charles, a Kellogg spokeswoman.
In a February securities filing, Kellogg said, “To date, we have not experienced a material breach of cybersecurity.”