“Directors don’t need to be technologists to play an effective role in cyber risk oversight — but every board can take the opportunity to improve the effectiveness of their cyber oversight practices.” — Peter Gleason, NACD President
In January 2017, the National Association of Corporate Directors (NACD) released an updated edition of its “Director’s Handbook on Cyber-Risk Oversight.” In light of increasing pressures from regulators and ongoing cyberattacks, board directors have a key role to play to ensure proper oversight of cyber risks for their organizations.
The 2017 edition improves on the 2014 version by clarifying several points for board directors to help them understand the strategic importance of cyber risks and the complexity of threats. It also includes several appendices that both chief information security officers (CISOs) and directors will find useful when preparing for mergers and acquisitions (M&A). The appendices also contain information about metrics and dashboards, and the relationship between boards and CISOs.
Five New NACD Principles for Board Directors
1. Understand and Approach Cybersecurity as an Enterprisewide Risk Management Issue, Not Just an IT Issue
“The reality is that if a sophisticated attacker targets a company’s systems, they will almost certainly breach them,” the handbook warned. It goes on to cite the challenge of detecting the presence of attackers in an organization’s systems and networks. On average, it takes 146 days before an organization realizes it has been breached. In about half the cases, the breach is reported by law enforcement or third parties, not internally
A sidebar titled “Why Would They Attack Us?” provides good examples to help new directors understand why their organization could be an appealing target for cybercriminals. The list includes M&A plans, contracts, sensitive HR information and client data.
2. Understand the Legal Implications of Cyber Risks as They Relate to the Company’s Specific Circumstances
The handbook pointed out the severe consequences of cyberattacks, specifically noting that companies and directors can find themselves exposed to legal risks following an attack. Directors are under tremendous pressure to appear to be doing something to get a handle on cyber risks. In many cases, this is manifested by the questions boards are asking CISOs and other managers. For example, the handbook warned that employees and contract workers, while indispensable assets, can also become easy vectors of attack for external actors, highlighting the need for regular security awareness training, strong controls and a strong organizational culture.
According to NACD, only 42 percent of public directors are confident or very confident that their company is properly secured against a cyberattack, versus 29 percent for private companies. Similarly, just 42 percent of public directors are moderately confident, in contrast with 39 percent for private companies. Finally, 15 percent of respondents from public companies said they were slightly or not at all confident, while 32 percent of private companies reported the same.
When it comes to boards’ own oversight of cyber risks, cyber continues to be a partial-board issue. When NACD surveyed boards about which group had oversight of cyber risks, 51 percent of respondents listed the audit committee, while only 41 percent reported that risks were reviewed at the full board level. In 11 percent of cases, risk management was an issue for a dedicated risk committee.
While boards have taken control of “big picture risks,” the numbers for cyber risks speak for themselves. Many boards don’t see this as a full-board issue, which could open them up to significant legal complications in the event of a breach.
The NACD survey results clearly showed that there is a lot of room for improvement to help board directors properly secure their organizations with confidence. Some of this pressure stems from investors, who are anxious to be kept in the loop regarding the cyber resilience of their investments. The Council on Institutional Investors created a list of five questions for directors to address:
- How are the company’s cyber risks communicated to the board, by whom and with what frequency?
- Has the board evaluated and approved the company’s cybersecurity strategy?
- How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
- How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
- When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?
3. Have Adequate Access to Cybersecurity Expertise and Give Cyber Risk Management Regular and Adequate Time on Board Meeting Agendas
While a number of CISOs reported spending time educating their top leaders about cybersecurity issues, the third principle in the handbook encouraged boards to have frequent, timely discussions about cyber risks and seek expertise beyond the confines of the boardroom. When needed, directors should look to outside experts to help them evaluate the assertions made by management and security leadership. This is akin to a doctor seeking advice from other medical professionals before signing off on a particular solution to a problem.
The handbook urged boards to schedule “deep-dive briefings” for independent third-party experts to help validate the extent to which the cybersecurity program is meeting objectives. Having adequate access to external expertise is key to enabling boards to address the questions raised by the Council on Institutional Investors. Without access to external expertise, boards would find it quite difficult to challenge or critically analyze the effectiveness of cybersecurity activities.
When it comes to boards’ access to the right internal resources during discussions on cyber risks, however, the NACD survey revealed a disconnect. The chief information officer (CIO) is the person most often in charge of reporting cybersecurity issues to the board (62 percent of cases), followed by the head of internal audit (38 percent), the CEO (37 percent) and, finally, the CISO (31 percent).
4. Set the Expectation That Management Will Establish an Enterprisewide Risk Management Framework With Adequate Staffing and Budget
The NACD handbook specifically mentioned the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), originally released in 2014. NIST created the framework to enable “organizations — regardless of size, degree of cybersecurity risk or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.” The CSF “focuses on using business drivers to guide cybersecurity activities and [considers] cybersecurity risks as part of the organization’s risk management processes.”
The NIST CSF framework has already been adopted by 29 percent of organizations, with future adoption rates projected as high as 70 percent. NACD reported even higher levels of adoption, with over 50 percent currently using the framework. In the case of federal agencies, adoption rates are over 80 percent.
Obviously, the NIST CSF isn’t the only framework out there. For example, many global organizations started adopting ISO 27001 years ago. Regardless of the particular framework chosen, boards need to ensure that it is fully and deeply implemented across all levels of the organization.
The handbook also recommended regular reviews of the effectiveness of the organization’s cyber risk management. This is meant to provide a sense of assurance that the organization can display an appropriate level of cyber resilience in the face of near-certain attacks.
5. Management Discussions Should Include Identification of Which Risks to Avoid, Which to Accept and Which to Mitigate or Transfer Through Insurance
With this principle, the board must answer questions such as what type of data and how much of it is the organization willing to expose? How are investments in mitigation efforts balanced, since the organization can’t possibly protect everything with the same level of vigilance?
Directors must also review cyber risk insurance options to transfer the risks that are not economically feasible to mitigate. In addition, they must define the organization’s cyber risk appetite, and the process for escalating and communicating during and after an incident.
Final Takeaways From the 2017 NACD Handbook
All in all, the 2017 edition of the handbook provides a solid foundation for both new and seasoned board directors to grasp the intricacies and complexities of the cybersecurity landscape. However, the handbook is valuable beyond the boardroom. C-suite executives will find it useful and relevant to them, especially the appendix titled “Questions for the Board to Ask Management About Cybersecurity.” CISOs can easily point to this document as a reference when presenting to top leadership and align their requests with one of the five principles.