“The SEC, FTC and other regulators (federal, state, global) have sharpened their scrutiny of companies’ data security efforts, as well as disclosures and communications about cybersecurity risks and breaches.” – KPMG’s “On the 2015 Board Agenda

Why Your Board of Directors Is Asking About Cyber Risks

Driven in part by reactions to the large number and scale of data breaches in the past decade, government agencies are flexing their enforcement muscles and sending clear signals that security is a top agenda item.

Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar, speaking at the New York Stock Exchange (NYSE) on June 10, 2014, clearly stated the SEC’s stance. “Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks,” he said. He also issued a clear warning that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.”

Since then, Commissioner Aguilar has again gone on record to warn of cyber risks. “It should not be a surprise that cybersecurity has become a focal point for the SEC’s enforcement efforts in recent years, and it has been reported that the SEC’s Division of Enforcement is currently investigating multiple data breaches,” he said at the SINET Innovation Summit on June 25, 2015. “Moreover, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.”

This new focus from government agencies isn’t just limited to the U.S., however. The U.K. government’s National Technical Authority for Information Assurance stated that “proactive management of the cyber risk at board level is critical.” To this end, the U.K. government has made available a document that outlined cyber-related responsibilities and key questions for boards and management. Additional resources for boards include the “Cyber Risk Oversight Handbook,” published by the National Association of Corporate Directors (NACD).

A New Reality for Boards

The new reality facing the board is best summarized by Cybersecurity Docket: “Every board now knows its company will fall victim to a cyberattack, and even worse, that the board will need to clean up the mess and superintend the fallout.”

Detlev Gabel, a partner at White & Case LLP in Frankfurt, Germany, explained what is at stake for directors. “Similar to other compliance areas, board directors can be held liable for not discharging their duty to prevent harm to the corporation,” he said. “In performing their oversight role, directors should stay informed about the corporation’s cybersecurity defenses. They must ask what the risks are and determine what needs to be done to mitigate them.”

Failure to properly oversee cyber risks also poses a threat. “Directors who fail to take appropriate measures — both before and after a data breach occurs — risk subjecting their companies to government enforcement actions, and themselves to derivative shareholder lawsuits,” explained the law firm Fredrikson & Byron.

KPMG, in its “Governance Challenges & Priorities Driving the 2015 Agenda” report, called cybersecurity “the problem of the 21st century.” Beyond compliance risk, it pointed to “the potential for lawsuits, reputational damage and loss of customers” as potential outcomes.

Why Were Boards So Slow to Take on Cyber Risks?

According to EY’s “Cyber Program Management” report, there are several reasons why boards are so reluctant to take on cybersecurity. Some of these reasons include the fact that cyber is just one of the many topics on a board’s agenda; the IT silo mentality that has relegated the protection of data and systems to the IT department; the difficulty for the board to properly assess cyber risks and the risk management program put in place by management; and the approach of shoring up defenses (preventative security controls) while ignoring incident detection and response capabilities.

However, as Commissioner Aguilar stated to the NYSE, times have changed, and “ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” The writing is on the wall: Boards can no longer sweep cyber risks aside. They must properly oversee the management of risks that were once relegated to the domain of the IT department.

How Are Boards Taking Ownership of Their Cyber Risk Oversight Role?

Boards first have to make time for cyber risks on their agendas. According to EY’s “Cyber Program Management” report, boards of directors are now advised to discuss cybersecurity on a quarterly basis or even more frequently.

How should boards oversee cyber risks? SEC Commissioner Aguilar provided some advice in his NYSE address. “Boards are responsible for overseeing that the corporation has established appropriate risk management programs and for overseeing how management implements those programs,” he stated. The commissioner clearly assigns to boards the “responsibility to ensure that management has implemented effective risk management protocols.”

What are boards advised to do? According to advisory firm SpencerStuart, a board of directors should ensure management includes cyber risks as part of its enterprisewide risk management program. It should also seek to better understand cyber risks, assess current cybersecurity practices and plan and rehearse for a breach.

Robyn Bew, the director of research at the NACD, advised boards of directors to ask themselves three questions:

  1. Do we understand the nature of the cyberthreat as it applies to our company?
  2. Do the board processes and structure support high-quality dialogue on cyber matters?
  3. What are we doing to stay current as the cyberthreat landscape continues to evolve?

Some key takeaways from boards’ newfound interest and attention on cyber risks are:

  • Boards are now asking for more regular updates about cyber risks, and not just from the CEO or CIO.
  • Boards are seeking to better understand the nature of cyber risks impacting their organization.
  • Boards are increasingly likely to question the organization’s management of cybersecurity issues, and that’s a good thing!

In an upcoming article, we’ll explore what boards are told to ask about when it comes to cybersecurity, as well as the questions CISOs are likely to face when presenting to the board.

More from Risk Management

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response. Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats. Signature-Based Antivirus Software Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…