Does Your Board Need a ‘Qualified Technology Expert,’ or Even a Technology Committee?
A recent Forbes article argues that it is becoming increasingly necessary for boards to possess cyber security and technology expertise. Interviewee Bob Zukis, professor of Management and Organization at the USC Marshall School of Business, draws a comparison to the Sarbanes-Oxley requirement for boards to have qualified financial experts (QFE). “We now need qualified technology experts (QTE), and while it’s not a regulatory requirement, at least not yet, there’s only an upside for boards to add these skills today.”
Mr. Zukis is highly critical of the common practice of tasking the audit committee with the responsibility of cyber security risk oversight. “That’s probably the worst place to put it as it doesn’t receive the attention it requires and the audit committee in most cases does not have the right skillset for overseeing technology, data and privacy issues.” Instead, Mr. Zukis is “a big believer in the value of a focused technology and cyber security committee for most public and many private companies.”
On the same topic, the Ernst & Young Center for Board Matters recently published a report titled, “What boards are doing today to better oversee cyber risk.” Among several other key takeaways, the report encourages boards to do the following:
- Set the tone that cyber security is a critical business issue; the time and effort the board spends on cyber security signifies if it is a priority for the company.
- Stay attuned to evolving board and committee cyber security oversight practices and disclosures.