Board directors are under a lot of pressure. They know that it’s only a matter of time before their organization suffers a cyber incident, and all eyes will naturally be on the directors themselves to see if they were properly exercising their risk oversight.
Directors also know that all interactions with the CISO will be subject to close scrutiny in the aftermath of a breach. But with the right mix of security education, communication and help from outside experts, executives can fill cyber risk awareness gaps and achieve compliance with a growing number of privacy and risk regulations.
Boards are worried about both lawsuits from shareholders and fines from regulators. Many regulatory agencies, such as the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC), have made strong public statements to that effect and followed up with enforcements against entities that failed to take appropriate steps to safeguard data.
In an October 2015 speech titled “The Important Work of Boards of Directors,” former SEC Commissioner Luis Aguilar said that the looming threat of cyberattacks “has only served to ratchet up the pressure on company boards to effectively implement enterprise risk oversight,” adding that shareholders can sue directors for failing to adequately protect against cyberthreats.
In December 2016, Sarah Bloom Raskin, deputy secretary of the U.S. Treasury, remarked that boards and senior leaders need to be able to ask the right questions about cyber risks and consider the trade-offs. She further argued for the need to empower boards and top leadership — through education, training and access to outside expertise — to “thoughtfully assess management’s assertions about the design and effectiveness of their organizations’ cyberdefenses” and to “evaluate the completeness and accuracy of their managements’ description of their cybersecurity programs.”
Educating Executives on Core Principles of Cyber Risk
While the topic of cybersecurity isn’t exactly a required course for MBA programs and leadership certificates, directors have been receiving more focused and actionable advice. This comes both from regulators and organizations charged with training board directors, such as the National Association of Corporate Directors (NACD).
According to Board Agenda, board directors need “sufficient relevant skills and understanding to review and challenge management performance.” Similarly, Robyn Bew, director of strategic content development for the NACD, outlined five core principles to properly oversee cyber risks:
- Cybersecurity should be part of the overall enterprise risk management program.
- Boards should understand the legal side of cyber risks.
- Boards should have access to cybersecurity expertise and regularly review the issue.
- Boards should ensure that management has provided appropriate direction and support for cybersecurity functions.
- Directors and managers should determine which risks to avoid, accept, mitigate and transfer.
Read the Fine Print
While it is still unusual to see anything beyond the most generic of statements regarding cyberthreats and cyber risk governance in SEC filings, more and more companies are mentioning cyber issues as part of their quarterly or yearly disclosures. Some of these updates provide a clearer sense of what boards and top leaders are doing about cybersecurity.
For example, one company’s SEC filing clearly stated that it had conducted cyber risk governance training “to equip board members with examples of questions to ask in order to challenge management and make sure that the controls in place align with the company’s risk appetite and culture.” It added that the company would “continue to monitor the performance and level of risk” regularly throughout the next year.
Boosting Security Awareness Among Board Members
The notion of board directors challenging management’s assertions isn’t a new concept, and it applies to all other areas of board members’ responsibilities. In 2013, for example, a cyber risk guidance report from U.K.-based governance institute ICSA distinguished cyber risk from other risk types due to “the rapid evolution of technology and the resulting fundamental changes in the way business is conducted.” The report also mentioned the need for boards to “consider taking wider advice” in an effort to fully comprehend the cybersecurity challenges they face.
But perhaps the best characterization of the situation facing board directors today comes from a report by the Deloitte EMEA Centre for Regulatory Strategy, which predicted that, as a result of increased cyber risk regulations and frameworks, “boards will be asked to demonstrate they have access to sufficient cyber and IT expertise to allow them to challenge management in this area.”
Board directors appear to have received the message loud and clear that it’s no longer enough to simply receive quarterly cybersecurity updates. Given these challenges, it’s really no wonder that directors want to be seen as more engaged — and, in many ways, more skeptical — when it comes to cybersecurity and cyber risks.