January 11, 2018 By Christophe Veltsos 4 min read

In mid-December 2017, the National Association of Corporate Directors (NACD) published its “2018 Governance Outlook: Projections on Emerging Board Matters” report, designed to highlight key areas of focus for board directors in 2018. It also offered recommendations for improving enterprise risks, including a section dedicated to cyber risks.

Four Key Takeaways From the NACD ‘s ‘2018 Governance Outlook’

The report — and the underlying NACD Public Company Governance Survey — found that only 49 percent of board directors are confident about management’s ability to effectively handle cyber risks. In the same vein, since there are increasing calls for cyber risks to be integrated within the enterprise risk management (ERM) system, 58 percent said it was important or very important for their boards to improve oversight of risk management in the coming year.

When it comes to cyber risks, there is a lot of room for improvement: Only 12 percent of respondents in the public governance survey said their boards had a “high level of knowledge” of cyber risks. With those numbers in mind, below are four takeaways for board directors from the report:

1. Get Engaged With Strategy and Risk Oversight

Boards should focus on what matters, and that includes organizational strategy and execution, the way risks are managed and keeping a close eye on cyber risks. Since board meetings are often filled with discussions about board composition, compensation, succession and disclosure-related issues, it can be extremely challenging to make time for anything else. However, businesses today are facing heavy turbulence, often resulting in management going from crisis to crisis. In such an environment, directors, with their varied experiences and backgrounds, are best positioned and prepared to spot trends and ensure that management’s actions not only help the company survive today, but also continue to thrive in the future.

Directors know that the buck stops with them, so it should come as no surprise that 71 percent believe their boards must improve their understanding of the risks and opportunities, as well as their impact on performance in the coming year. However, directors also understand that they need to get involved with the development of strategy (67 percent) and improve the way they monitor management’s ability to execute those strategies successfully (also 67 percent). Instead of “reviewing and concurring” with management’s approach, directors are cautioned to be more engaged with both strategy and risk oversight.

Part of that engagement is to “hold executives accountable for providing better intelligence on cyber risk and delivering better results.” It is reckless and unacceptable for a CISO or CIO to report on cyber risks in ways that are not relevant to the CEO and the board.

Listen to the podcast: If you can’t measure it, you can’t manage it

2. Pay Close Attention to Cyberthreats

One of the key lessons for boards to take away from this report is the need for directors to “implement defense strategies to combat cyberthreats.” Directors are cautioned against continuing a largely passive and disconnected approach to their oversight duties when it comes to cyber risks.

The message appears to have been received: When asked about the top five trends that have the greatest potential impact on their company over the coming year, directors ranked cyberthreats fourth (at 38 percent), below industry changes (58 percent), business model disruptions (46 percent) and global economic changes (46 percent). In fact, cyberthreats ranked well above political uncertainty, technology disruptions, U.S. tax reform and investor activism.

The report noted that cyber risks are likely to remain on board agendas permanently, but also reminded directors of their duty to press for “complete, relevant and timely” assurances on how effective the organization is in identifying, managing and responding to cyber risks. But the days of paying lip service to cyberthreats by reviewing, communicating and doing the bare minimum to avoid fines or pass a yearly compliance audit are long gone. The survival of the organization as a whole is at stake with the current level of threats. If the board isn’t confident in its own ability to fully understand cyber risks, the report urged directors to “add a cyber risk specialist on the board” or employ “outside cybersecurity consultants as board advisors.”

3. Work to Improve Organizational Culture

Directors need to get a clear, unbiased picture of the company’s culture and help shape it appropriately. Since culture is often a key driver of performance, it affects the way the organization interacts with its staff, clients and business partners. As such, it can have a direct impact on the company’s success and the kinds of risks it faces.

Organizational culture is most often perceived as risk-seeking and risk-averse. However, the nature of the organization’s security culture should also be part of the board’s overall dashboard metrics on corporate culture. Without a strong culture of security, the organization’s next breach may well come from one of its own employees instead of an external attacker.

4. Ask the Tough Questions

Board directors have a fiduciary duty to oversee cyber risks. They should be able to clearly document the steps and actions they’ve taken to become engaged. When asked about which practices board directors themselves had used, the top four responses were:

  • Looking at the company’s current strategy for protecting its most critical cyber assets (82 percent);

  • Looking at the company’s IT infrastructure to safeguard data (74 percent);

  • Reviewing management’s reporting of cyber risk information and improving the quality of information used to make cyber risk decisions (69 percent); and

  • Looking at the company’s data breach response plan (61 percent).

Because cyberthreats are constantly evolving, board directors need to help management identify and implement a more effective strategic plan for dealing with cyber risks. The report provided six key questions to assist with this endeavor, three of which are listed below:

  • What people, processes and technologies are we currently using to defend our network?

  • What additional resources are needed in people, processes and technologies to limit risk?

  • Are representatives from the security team included in every business planning meeting?

Improving Executive Engagement

As the report noted, “Being ‘secure’ is not a static end state that lends itself to inflexible compliance checklists; it requires a constant evaluation of risk relative to a rapidly evolving cyberthreat landscape.” NACD’s “2018 Governance Outlook” provides good, actionable advice for boards to improve their engagement around strategic risk management and oversight of cyber risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today