There are generally four broad roles and functions that board committees can serve in order to promote the efficiency of the Board’s operation and help to bring a focus on the very key decisions that a Board will need to make. Committees can facilitate this process by:
- Helping to divide the work of the organization.
- Streamlining work by eliminating routine tasks from monthly board consideration, with more time at the regular board meeting for regular business.
- Serving to maximize the specific talents and experience of specific board members, with more intense research and deliberation about information.
- Permitting broader participation by all of its board members.
Of course, there can be disadvantages with Board committees if not managed properly. Excess cost is always a concern. Additionally, unless the relationship between the Board and the subcommittee is open and robust, considerations of high-impact decisions may be kept away from the full board, thereby narrowing the valuable resources. Some topics are better served if they are discussed by the full board at a regular board meeting.
Particular Considerations for a Cybersecurity Committee
The corporate world has seen one massive cybersecurity attack after another in the past several years. Though difficult to generalize, it is fair to say that the forms these attacks take have entered a more sophisticated phase. Early on, most attacks were single focused. A typical attack might entail a hacker entering a system, stealing a valuable piece of information and leaving. Today, it is common for hackers to enter a system and make themselves at home for a while, exploring the entirety of the company’s system to determine the most effective means of exploiting vulnerabilities. As Ben Johnson, Bit9 + Carbon Black’s chief security strategist, commented, “When hackers know that a big payday is coming they don’t mind waiting for months for the best moment to strike.”
This shift of mode of attack and the acceleration of cyberattacks generally raises the stakes for the Board, adding significantly to its customary responsibility for risk assessment and risk mitigation. The pure growth in the stakes weighs heavily in favor of serious consideration for a Board cybersecurity committee.
At the same time, the Board must work carefully in structuring the relationship with the potential cybersecurity subcommittee. There may even be incidents where a cybersecurty subcommittee is not appropriate or premature. The very technical nature of cybersecurity lends itself to a growing disparity of knowledge between the “experts” and others on the Board who may not know enough to ask the probing questions necessary to reach the right decision, balancing the technical risks and the larger board oversight role.
SEC Commissioner Luis A. Aguilar spoke to the New York Stock Exchange on the topic of “Cyber Risks and the Board Room.” His central message was: evidence suggests that there may be a gap that exists between the magnitude of the exposure presented by cyber risks and the steps, or lack thereof, that many corporate boards have taken to address these risks. Mr. Aguilar suggests that boards need to provide meaningful oversight of the company’s proactive measures to mitigate these risks.
Proper Steps in Determining the Need for or Creating a Cybersecurity Board Committee
Because cybersecurity is a topic du jour, it is understandable that corporate boards move quickly to establish a subcommittee or add a cyber expert to the Board, often to avoid criticism for being lax in this area. In doing so, Boards may not take the time to consider the numerous issues necessary to ensure that the proper resources are employed. Here are some ideas to consider:
- Consider your industry – retail, manufacturing, technology…every industry will bring particular and unique cybersecurity strengths and risks. Before determining whether to bring a cybersecurity expert onto the Board or to create a subcommittee, think these issues through.
- Where are the prominent breach risks in your company – personnel, connectivity with other entities, the Internet of things? A Strategic Cyber-Roadmap for the Board by the Harvard Forum cited an excellent review blueprint to consider before determining whether a Board subcommittee is the best course:
- Reducing security risks from malicious and negligent employees.
- Managing cybersecurity risks that might come from suppliers’ and partners’ products and applications.
- Managing risks associated with third-party outsourcing.
- Producing overviews on open source products and applications to increase transparency on cyber-risks.
- Creating breach prevention processes and practices.
- Analyzing risks due to introduction of IoT (Internet-of-things) products, forensic remediation practices, (simulations) of cyber incident response.
- Creating guidelines on communication to shareholders, regulatory authorities and employees in case of an incident
- Taking out cybersecurity insurance.
- Implementing cybersecurity education for employees and executives/board members
Is a Cybersecurity Committee Right for Working with Your Board?
As the points above suggest, there is a great deal of work, study and questions to be asked before formalizing a cybersecurity committee to work with your board. This work will become an excellent educational tool in its own right and will protect a company and its board from adopting an off-the-shelf approach that might look good to shareholders and yet not address the real need to tackle the very serious risk of cybersecurity threats. Prior to making a decision, it is often wise to conduct focus groups facilitated by an expert versed in cybersecurity and allow those sessions to be freewheeling and explore out-of-the-box thinking that in the end can help shape the right approach for your company. Diligent.com, which is the world’s leading collaboration tool for Board meetings, provides a unique mix of articles and studies that will help you initiate this process.