Board directors are under a lot of pressure. They know that it’s only a matter of time before their organization suffers a cyber incident, and all eyes will naturally be on the directors themselves to see if they were properly exercising their risk oversight.

Directors also know that all interactions with the CISO will be subject to close scrutiny in the aftermath of a breach. But with the right mix of security education, communication and help from outside experts, executives can fill cyber risk awareness gaps and achieve compliance with a growing number of privacy and risk regulations.

Regulatory Pressures

Boards are worried about both lawsuits from shareholders and fines from regulators. Many regulatory agencies, such as the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC), have made strong public statements to that effect and followed up with enforcements against entities that failed to take appropriate steps to safeguard data.

In an October 2015 speech titled “The Important Work of Boards of Directors,” former SEC Commissioner Luis Aguilar said that the looming threat of cyberattacks “has only served to ratchet up the pressure on company boards to effectively implement enterprise risk oversight,” adding that shareholders can sue directors for failing to adequately protect against cyberthreats.

In December 2016, Sarah Bloom Raskin, deputy secretary of the U.S. Treasury, remarked that boards and senior leaders need to be able to ask the right questions about cyber risks and consider the trade-offs. She further argued for the need to empower boards and top leadership — through education, training and access to outside expertise — to “thoughtfully assess management’s assertions about the design and effectiveness of their organizations’ cyberdefenses” and to “evaluate the completeness and accuracy of their managements’ description of their cybersecurity programs.”

Educating Executives on Core Principles of Cyber Risk

While the topic of cybersecurity isn’t exactly a required course for MBA programs and leadership certificates, directors have been receiving more focused and actionable advice. This comes both from regulators and organizations charged with training board directors, such as the National Association of Corporate Directors (NACD).

According to Board Agenda, board directors need “sufficient relevant skills and understanding to review and challenge management performance.” Similarly, Robyn Bew, director of strategic content development for the NACD, outlined five core principles to properly oversee cyber risks:

  1. Cybersecurity should be part of the overall enterprise risk management program.
  2. Boards should understand the legal side of cyber risks.
  3. Boards should have access to cybersecurity expertise and regularly review the issue.
  4. Boards should ensure that management has provided appropriate direction and support for cybersecurity functions.
  5. Directors and managers should determine which risks to avoid, accept, mitigate and transfer.

Read the Fine Print

While it is still unusual to see anything beyond the most generic of statements regarding cyberthreats and cyber risk governance in SEC filings, more and more companies are mentioning cyber issues as part of their quarterly or yearly disclosures. Some of these updates provide a clearer sense of what boards and top leaders are doing about cybersecurity.

For example, one company’s SEC filing clearly stated that it had conducted cyber risk governance training “to equip board members with examples of questions to ask in order to challenge management and make sure that the controls in place align with the company’s risk appetite and culture.” It added that the company would “continue to monitor the performance and level of risk” regularly throughout the next year.

Boosting Security Awareness Among Board Members

The notion of board directors challenging management’s assertions isn’t a new concept, and it applies to all other areas of board members’ responsibilities. In 2013, for example, a cyber risk guidance report from U.K.-based governance institute ICSA distinguished cyber risk from other risk types due to “the rapid evolution of technology and the resulting fundamental changes in the way business is conducted.” The report also mentioned the need for boards to “consider taking wider advice” in an effort to fully comprehend the cybersecurity challenges they face.

But perhaps the best characterization of the situation facing board directors today comes from a report by the Deloitte EMEA Centre for Regulatory Strategy, which predicted that, as a result of increased cyber risk regulations and frameworks, “boards will be asked to demonstrate they have access to sufficient cyber and IT expertise to allow them to challenge management in this area.”

Board directors appear to have received the message loud and clear that it’s no longer enough to simply receive quarterly cybersecurity updates. Given these challenges, it’s really no wonder that directors want to be seen as more engaged — and, in many ways, more skeptical — when it comes to cybersecurity and cyber risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…