Why Is Your Board of Directors Finally Asking About Cyber Risks?

“The SEC, FTC and other regulators (federal, state, global) have sharpened their scrutiny of companies’ data security efforts, as well as disclosures and communications about cybersecurity risks and breaches.” – KPMG’s “On the 2015 Board Agenda

Why Your Board of Directors Is Asking About Cyber Risks

Driven in part by reactions to the large number and scale of data breaches in the past decade, government agencies are flexing their enforcement muscles and sending clear signals that security is a top agenda item.

Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar, speaking at the New York Stock Exchange (NYSE) on June 10, 2014, clearly stated the SEC’s stance. “Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks,” he said. He also issued a clear warning that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.”

Since then, Commissioner Aguilar has again gone on record to warn of cyber risks. “It should not be a surprise that cybersecurity has become a focal point for the SEC’s enforcement efforts in recent years, and it has been reported that the SEC’s Division of Enforcement is currently investigating multiple data breaches,” he said at the SINET Innovation Summit on June 25, 2015. “Moreover, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.”

This new focus from government agencies isn’t just limited to the U.S., however. The U.K. government’s National Technical Authority for Information Assurance stated that “proactive management of the cyber risk at board level is critical.” To this end, the U.K. government has made available a document that outlined cyber-related responsibilities and key questions for boards and management. Additional resources for boards include the “Cyber Risk Oversight Handbook,” published by the National Association of Corporate Directors (NACD).

A New Reality for Boards

The new reality facing the board is best summarized by Cybersecurity Docket: “Every board now knows its company will fall victim to a cyberattack, and even worse, that the board will need to clean up the mess and superintend the fallout.”

Detlev Gabel, a partner at White & Case LLP in Frankfurt, Germany, explained what is at stake for directors. “Similar to other compliance areas, board directors can be held liable for not discharging their duty to prevent harm to the corporation,” he said. “In performing their oversight role, directors should stay informed about the corporation’s cybersecurity defenses. They must ask what the risks are and determine what needs to be done to mitigate them.”

Failure to properly oversee cyber risks also poses a threat. “Directors who fail to take appropriate measures — both before and after a data breach occurs — risk subjecting their companies to government enforcement actions, and themselves to derivative shareholder lawsuits,” explained the law firm Fredrikson & Byron.

KPMG, in its “Governance Challenges & Priorities Driving the 2015 Agenda” report, called cybersecurity “the problem of the 21st century.” Beyond compliance risk, it pointed to “the potential for lawsuits, reputational damage and loss of customers” as potential outcomes.

Why Were Boards So Slow to Take on Cyber Risks?

According to EY’s “Cyber Program Management” report, there are several reasons why boards are so reluctant to take on cybersecurity. Some of these reasons include the fact that cyber is just one of the many topics on a board’s agenda; the IT silo mentality that has relegated the protection of data and systems to the IT department; the difficulty for the board to properly assess cyber risks and the risk management program put in place by management; and the approach of shoring up defenses (preventative security controls) while ignoring incident detection and response capabilities.

However, as Commissioner Aguilar stated to the NYSE, times have changed, and “ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” The writing is on the wall: Boards can no longer sweep cyber risks aside. They must properly oversee the management of risks that were once relegated to the domain of the IT department.

How Are Boards Taking Ownership of Their Cyber Risk Oversight Role?

Boards first have to make time for cyber risks on their agendas. According to EY’s “Cyber Program Management” report, boards of directors are now advised to discuss cybersecurity on a quarterly basis or even more frequently.

How should boards oversee cyber risks? SEC Commissioner Aguilar provided some advice in his NYSE address. “Boards are responsible for overseeing that the corporation has established appropriate risk management programs and for overseeing how management implements those programs,” he stated. The commissioner clearly assigns to boards the “responsibility to ensure that management has implemented effective risk management protocols.”

What are boards advised to do? According to advisory firm SpencerStuart, a board of directors should ensure management includes cyber risks as part of its enterprisewide risk management program. It should also seek to better understand cyber risks, assess current cybersecurity practices and plan and rehearse for a breach.

Robyn Bew, the director of research at the NACD, advised boards of directors to ask themselves three questions:

  1. Do we understand the nature of the cyberthreat as it applies to our company?
  2. Do the board processes and structure support high-quality dialogue on cyber matters?
  3. What are we doing to stay current as the cyberthreat landscape continues to evolve?

Some key takeaways from boards’ newfound interest and attention on cyber risks are:

  • Boards are now asking for more regular updates about cyber risks, and not just from the CEO or CIO.
  • Boards are seeking to better understand the nature of cyber risks impacting their organization.
  • Boards are increasingly likely to question the organization’s management of cybersecurity issues, and that’s a good thing!

In an upcoming article, we’ll explore what boards are told to ask about when it comes to cybersecurity, as well as the questions CISOs are likely to face when presenting to the board.

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is an associate professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.