August 24, 2017 By Christophe Veltsos 3 min read

Board directors are under a lot of pressure. They know that it’s only a matter of time before their organization suffers a cyber incident, and all eyes will naturally be on the directors themselves to see if they were properly exercising their risk oversight.

Directors also know that all interactions with the CISO will be subject to close scrutiny in the aftermath of a breach. But with the right mix of security education, communication and help from outside experts, executives can fill cyber risk awareness gaps and achieve compliance with a growing number of privacy and risk regulations.

Regulatory Pressures

Boards are worried about both lawsuits from shareholders and fines from regulators. Many regulatory agencies, such as the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC), have made strong public statements to that effect and followed up with enforcements against entities that failed to take appropriate steps to safeguard data.

In an October 2015 speech titled “The Important Work of Boards of Directors,” former SEC Commissioner Luis Aguilar said that the looming threat of cyberattacks “has only served to ratchet up the pressure on company boards to effectively implement enterprise risk oversight,” adding that shareholders can sue directors for failing to adequately protect against cyberthreats.

In December 2016, Sarah Bloom Raskin, deputy secretary of the U.S. Treasury, remarked that boards and senior leaders need to be able to ask the right questions about cyber risks and consider the trade-offs. She further argued for the need to empower boards and top leadership — through education, training and access to outside expertise — to “thoughtfully assess management’s assertions about the design and effectiveness of their organizations’ cyberdefenses” and to “evaluate the completeness and accuracy of their managements’ description of their cybersecurity programs.”

Educating Executives on Core Principles of Cyber Risk

While the topic of cybersecurity isn’t exactly a required course for MBA programs and leadership certificates, directors have been receiving more focused and actionable advice. This comes both from regulators and organizations charged with training board directors, such as the National Association of Corporate Directors (NACD).

According to Board Agenda, board directors need “sufficient relevant skills and understanding to review and challenge management performance.” Similarly, Robyn Bew, director of strategic content development for the NACD, outlined five core principles to properly oversee cyber risks:

  1. Cybersecurity should be part of the overall enterprise risk management program.
  2. Boards should understand the legal side of cyber risks.
  3. Boards should have access to cybersecurity expertise and regularly review the issue.
  4. Boards should ensure that management has provided appropriate direction and support for cybersecurity functions.
  5. Directors and managers should determine which risks to avoid, accept, mitigate and transfer.

Read the Fine Print

While it is still unusual to see anything beyond the most generic of statements regarding cyberthreats and cyber risk governance in SEC filings, more and more companies are mentioning cyber issues as part of their quarterly or yearly disclosures. Some of these updates provide a clearer sense of what boards and top leaders are doing about cybersecurity.

For example, one company’s SEC filing clearly stated that it had conducted cyber risk governance training “to equip board members with examples of questions to ask in order to challenge management and make sure that the controls in place align with the company’s risk appetite and culture.” It added that the company would “continue to monitor the performance and level of risk” regularly throughout the next year.

Boosting Security Awareness Among Board Members

The notion of board directors challenging management’s assertions isn’t a new concept, and it applies to all other areas of board members’ responsibilities. In 2013, for example, a cyber risk guidance report from U.K.-based governance institute ICSA distinguished cyber risk from other risk types due to “the rapid evolution of technology and the resulting fundamental changes in the way business is conducted.” The report also mentioned the need for boards to “consider taking wider advice” in an effort to fully comprehend the cybersecurity challenges they face.

But perhaps the best characterization of the situation facing board directors today comes from a report by the Deloitte EMEA Centre for Regulatory Strategy, which predicted that, as a result of increased cyber risk regulations and frameworks, “boards will be asked to demonstrate they have access to sufficient cyber and IT expertise to allow them to challenge management in this area.”

Board directors appear to have received the message loud and clear that it’s no longer enough to simply receive quarterly cybersecurity updates. Given these challenges, it’s really no wonder that directors want to be seen as more engaged — and, in many ways, more skeptical — when it comes to cybersecurity and cyber risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today