Fifty percent of S&P 500 companies will be replaced in the next 10 years—a sobering (and perhaps thrilling) statistic for today’s business leaders, yet one that reflects the immense pressure on companies to innovate or be left behind. As investors and market pressures drive organizations to become more digital, more global, and more sustainable, today’s boards are finding discussions of risk appetite to be a delicate balancing act.
What’s at stake for today’s companies and consumers? How are other boards structuring oversight? What should directors know about their liability risk in the wake of a data breach? Should boards be recruiting cyber experts? These are the questions we explore in the sections below.
With such a large part of today’s market value concentrated in digital assets, a cyberattack becomes one of the greatest dangers facing a company today. How much cyber risk is your organization willing to sustain on the road to long-term growth? This is the question today’s board members must answer as they navigate a rather high-stakes game of risks and rewards.
Cyber Risk Definition
Cyber risk is defined by RSA as “the potential of loss or harm related to technical infrastructure or the use of technology within an organization”. A full understanding, however, necessitates that cyber risk be further categorized by intent (malicious or unintentional) and source (internal or external). Understanding cyber risk along these dimensions is key to structuring a company’s defenses. A data breach, for example, may not always be criminally motivated, and certain industries may be more likely to experience internal vs. external threats.
The Costs of Cybercrime
The average cost of a data breach today is $3.9 million inclusive of legal fees, fines, lost productivity, crisis response efforts, remediation, and so on. However, these hard costs are only one part of the cyber risk equation. The loss of intellectual property, competitive insights, or consumer trust can often be the greatest source of long-term damage in the wake of a data breach. For this reason, boards should be putting near-equal weight on a comprehensive incident response plan, which is the board’s best tool for mitigating damage to stakeholder relationships, brand equity, and reputation.
The Challenge for Boards
Cyber risk oversight–and its technical concepts and vocabulary–can feel foreign to directors. At an average age of 63, the vast majority of today’s board members didn’t encounter cyber risk during the course of their careers–at least not at the level today’s organizations must operate. However, directors must recognize the similarities between cyber risk and other types of risk oversight, which they’ve long managed. Each member of the board is ultimately responsible for getting themselves up to speed and acquiring the language necessary to ask the right questions.
[Boards shouldn’t] think that [cyber] is something so technical and brand new that they don’t have a handle on it. Boards have dealt with risks of all kinds within their organizations in the past—they have adopted new risks over time. If they’re skilled and feel confident doing that, then they should feel confident about cyber.
— Michael Kaiser, Former Executive Director, National Cyber Security Alliance
Prioritize Protection Around the Company’s Greatest Assets
As with any form of risk management, it’s a game of prioritization. You can’t protect everything equally, and it’s the board’s job to ensure management has concentrated the strongest cybersecurity protections around the company’s most valuable assets. Every board should start with an inventory of the company’s digital assets and third-party relationships. Guiding the board should be the question: “What’s the worst thing this company could lose?” Knowing what data and relationships exist is an indisputable first step. The board can’t protect what it doesn’t know about.
Conduct an External Analysis and Leverage Existing Industry Data
Even though every company has a different set of risks and threat actors, understanding industry trends can shed light on where cybersecurity time and budget may be best allocated. For example, the majority of cyberattacks in the U.S. hospitality industry can be traced back to external actors targeting customer payment information. Compare that to hospitals and healthcare organizations, where breaches are more likely to originate internally from human error. Knowledge is power when it comes to understanding the company’s most likely cyber adversaries and their motivations.
Don’t Overlook the Human Factor
The “human factor” is all too often overlooked in board discussions of cyber risk. Consider the fact that 91% percent of successful hacks originate from phishing emails (i.e., fraudulent emails designed to extract valuable information from employees). Today’s boards should press management to explain what is the company doing to teach employees about the most common cyber risks and how to report them. Although difficult to measure, a cyber awareness training program is often one of the most impactful things the board and management team can implement on the road to cyber resilience.
Everyone is a source of cyber risk. Public failures become personal. Personal failures become public. Even seemingly small lapses in judgment or policy oversight can have dire consequences.
Is the Audit Committee the Right Owner?
Over the last several years, the audit committee has been the most popular place for boards to assign ownership. However, as the cyber risk environment grows more complex–and as cyber risk becomes increasingly central to discussions of strategy and value creation–it’s debated whether a better owner may be the full board, a dedicated risk/technology committee, or a hybrid of the two. Governance experts also worry that audit committee agendas are already too packed to “tack on” another risk as important as cyber.
What’s the Best Structure for Our Board?
Oversight structures will necessarily vary by board and depend on several factors: nature of company assets, industry, risk tolerance, cyber threat history, existing committee structure, current director skill sets, etc. Among the questions boards should be asking: Is our full board capable of taking the deep dives necessary to oversee cyber risk throughout the organization? Does our board have the skill sets to effectively manage cyber risk within a dedicated committee? If so, what’s the process for reporting back to the full board?
Should We Recruit a Cyber Expert to the Board?
Less than one-fifth of directors say they are satisfied with the current levels of IT or cybersecurity expertise on their board (via PwC’s Governance Insights Center). Yet many boards debate whether recruiting directors with cyber expertise is actually the best strategy for board oversight—especially since these candidates typically lack broader operational experience. Many boards are taking a chance on these first-time directors, while others are electing different methods for incorporating cyber expertise.
…people are recognizing that having a CISO on the board is not necessarily a clear path to shifting the discussion around cybersecurity…A lot of the cyber challenges that today’s companies are facing are not just the traditional cyber issues–rather, they’re regulatory, they’re business-model driven, and they involve broader ethical questions around how to interact with data and machine learning.
— Jason Baumgarten, Partner, Spencer Stuart
As we emphasized in the section above, boards must be aware of any data privacy regulations or disclosure requirements for each country and industry in which the company operates. The European Union’s recent General Data Protection Regulation (GDPR) is expected to eventually influence U.S. regulations; however, for now, the U.S. cybersecurity disclosure landscape is still nascent, evolving, and largely voluntary.
The SEC recently updated its February 2018 interpretive guidance, which outlines its expectations around cybersecurity disclosure. The SEC encourages companies to disclose all material cyber risks and network incidents to shareholders, whether they’ve been the target of a cyberattack or not.
What Should Boards Know About Liability Related to Cyber Risk?
Boards have a duty to oversee risk across the organization–a duty that stems from their basic fiduciary duties of care and loyalty. In this episode highlight, William Chandler, Former Chancellor of the Delaware Court of Chancery, outlines a board member’s oversight duties related specifically to cyber risk.
In the case of a cyber breach, Chandler explained, a judge will determine the board’s liability based on the following logic: (1) Did the board have a system in place for monitoring cyber risks throughout the company? (2) Following its own system, did the board address any red flags in a timely manner?
Thus, not only should today’s boards have a process for overseeing cyber risk, but that process should be well documented. In our recent blog, the Wilson Sonsini Goodrich & Rosati team shares actionable steps board members can take to mitigate liability.
I use this old metaphysical story: If a tree falls in the forest, and there’s no one there to hear it, does it make a noise? The corporate law analog to that is: if a board follows an exemplary process but has no record of it, will the judge still respect what the directors did? You don’t want to find out the answer to that.
— William Chandler, Partner, Wilson Sonsini Goodrich & Rosati
1. Using Personal Email and Devices
Too often, we find that board members don’t associate their own communication practices with the company’s cybersecurity posture. This can be a dire mistake, given that board members and C-Suite executives often possess the most sensitive company information, making them the most attractive targets for hackers and other cybercriminals. Several recent exposés and court cases have revealed the dangers of personal email. Even if the nature of those conversations are seemingly incidental, personal email–like any other unencrypted or ill-encrypted, digital gateway–can be used as a point of entry into a board member’s personal devices.
2. Overlooking the Implications and Liability Risk
When directors use personal channels for board communication, they seldom think about the implications should the company ever come under litigation. The Delaware Courts have held that any electronically stored materials relating to the business become the property of the company and are therefore “discoverable”. Thus, even if directors are using personal email, computers, or text messaging for incidental board matters, it could all be subject to e-discovery. Today’s corporate secretaries must set the tone for responsible communication practices and ensure their directors understand the dangers of communicating outside of a secure board portal environment.