October 13, 2015 By Christophe Veltsos 4 min read


“The SEC, FTC and other regulators (federal, state, global) have sharpened their scrutiny of companies’ data security efforts, as well as disclosures and communications about cybersecurity risks and breaches.” – KPMG’s “On the 2015 Board Agenda

Why Your Board of Directors Is Asking About Cyber Risks

Driven in part by reactions to the large number and scale of data breaches in the past decade, government agencies are flexing their enforcement muscles and sending clear signals that security is a top agenda item.

Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar, speaking at the New York Stock Exchange (NYSE) on June 10, 2014, clearly stated the SEC’s stance. “Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks,” he said. He also issued a clear warning that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.”

Since then, Commissioner Aguilar has again gone on record to warn of cyber risks. “It should not be a surprise that cybersecurity has become a focal point for the SEC’s enforcement efforts in recent years, and it has been reported that the SEC’s Division of Enforcement is currently investigating multiple data breaches,” he said at the SINET Innovation Summit on June 25, 2015. “Moreover, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.”

This new focus from government agencies isn’t just limited to the U.S., however. The U.K. government’s National Technical Authority for Information Assurance stated that “proactive management of the cyber risk at board level is critical.” To this end, the U.K. government has made available a document that outlined cyber-related responsibilities and key questions for boards and management. Additional resources for boards include the “Cyber Risk Oversight Handbook,” published by the National Association of Corporate Directors (NACD).

A New Reality for Boards

The new reality facing the board is best summarized by Cybersecurity Docket: “Every board now knows its company will fall victim to a cyberattack, and even worse, that the board will need to clean up the mess and superintend the fallout.”

Detlev Gabel, a partner at White & Case LLP in Frankfurt, Germany, explained what is at stake for directors. “Similar to other compliance areas, board directors can be held liable for not discharging their duty to prevent harm to the corporation,” he said. “In performing their oversight role, directors should stay informed about the corporation’s cybersecurity defenses. They must ask what the risks are and determine what needs to be done to mitigate them.”

Failure to properly oversee cyber risks also poses a threat. “Directors who fail to take appropriate measures — both before and after a data breach occurs — risk subjecting their companies to government enforcement actions, and themselves to derivative shareholder lawsuits,” explained the law firm Fredrikson & Byron.

KPMG, in its “Governance Challenges & Priorities Driving the 2015 Agenda” report, called cybersecurity “the problem of the 21st century.” Beyond compliance risk, it pointed to “the potential for lawsuits, reputational damage and loss of customers” as potential outcomes.

Why Were Boards So Slow to Take on Cyber Risks?

According to EY’s “Cyber Program Management” report, there are several reasons why boards are so reluctant to take on cybersecurity. Some of these reasons include the fact that cyber is just one of the many topics on a board’s agenda; the IT silo mentality that has relegated the protection of data and systems to the IT department; the difficulty for the board to properly assess cyber risks and the risk management program put in place by management; and the approach of shoring up defenses (preventative security controls) while ignoring incident detection and response capabilities.

However, as Commissioner Aguilar stated to the NYSE, times have changed, and “ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” The writing is on the wall: Boards can no longer sweep cyber risks aside. They must properly oversee the management of risks that were once relegated to the domain of the IT department.

How Are Boards Taking Ownership of Their Cyber Risk Oversight Role?

Boards first have to make time for cyber risks on their agendas. According to EY’s “Cyber Program Management” report, boards of directors are now advised to discuss cybersecurity on a quarterly basis or even more frequently.

How should boards oversee cyber risks? SEC Commissioner Aguilar provided some advice in his NYSE address. “Boards are responsible for overseeing that the corporation has established appropriate risk management programs and for overseeing how management implements those programs,” he stated. The commissioner clearly assigns to boards the “responsibility to ensure that management has implemented effective risk management protocols.”

What are boards advised to do? According to advisory firm SpencerStuart, a board of directors should ensure management includes cyber risks as part of its enterprisewide risk management program. It should also seek to better understand cyber risks, assess current cybersecurity practices and plan and rehearse for a breach.

Robyn Bew, the director of research at the NACD, advised boards of directors to ask themselves three questions:

  1. Do we understand the nature of the cyberthreat as it applies to our company?
  2. Do the board processes and structure support high-quality dialogue on cyber matters?
  3. What are we doing to stay current as the cyberthreat landscape continues to evolve?

Some key takeaways from boards’ newfound interest and attention on cyber risks are:

  • Boards are now asking for more regular updates about cyber risks, and not just from the CEO or CIO.
  • Boards are seeking to better understand the nature of cyber risks impacting their organization.
  • Boards are increasingly likely to question the organization’s management of cybersecurity issues, and that’s a good thing!

In an upcoming article, we’ll explore what boards are told to ask about when it comes to cybersecurity, as well as the questions CISOs are likely to face when presenting to the board.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today