As headlines of every newly discovered breach emerge, they reinforce the message to board directors of the extreme complexity and sophistication of technology. Cyber risk is not only here to stay, it’s sure to become even more complex in the coming years.
Boards have been incorporating discussions about cybersecurity into their agendas at least several times a year. The complexity and interconnectedness of cyber risk will soon require discussions about cybersecurity to become a standard item on board agendas.
The responsibility that boards accept for managing cyber risk extends well beyond the corporations that they manage. In addition to protecting the company from litigious matters, the infrastructures that protect companies also protect people and the societies in which they live.
As the intricacies of technology continue to evolve and threaten corporate livelihoods, board directors will need to develop their own knowledge about technical issues and rely on technical experts as part of best practices for good corporate governance.
Earlier Attempts at Strengthening Cybersecurity Efforts
Dating back to 2003, Congress started to realize the importance of connecting corporate governance and cybersecurity. They appointed the first-ever Corporate Governance Task Force for the National Cyber Security Partnership with the goal of developing and promoting a meaningful framework for management to address cybersecurity. Congress also charged the task force with creating a roadmap for how corporations across all industries, organizations and educational institutions could implement effective security programs as part of their governance duties.
The task force released some of the earliest reports on cybersecurity as it relates to governance, and much of what they learned is relevant today.
What Makes Cybersecurity a Governance Issue?
Individual board directors may not have the technical expertise to understand the complexities involved in cybersecurity. Nevertheless, individually, collectively and with the aid of technical experts, they must continue to seek ways to strengthen their corporation’s security efforts.
While board directors don’t need to be directly involved in any of the security efforts, they need to be aware of the many areas that they oversee that bear some degree of cyber risk.
Board directors are directly responsible for overseeing risk management, which obviously includes cyber risk management. Boards must oversee the strength of their internal controls, which may alert the board to potential cyber threats.
Boards also bear the responsibility to make sure that their managers are being held accountable for continuously training other employees about the roles they play in maintaining a culture of security. Boards also need to make sure that IT teams or other security teams are performing rigorous testing on a regular basis, preferably by third parties. While the implementation of the framework for cybersecurity rests squarely with senior management, board directors are responsible for overseeing their efforts and holding them accountable.
Cyber breaches can quickly escalate to legal liability for corporations. Board directors have a fiduciary duty of obedience, which means they are responsible for the corporation to follow all state, federal and local laws. As part of good governance, board directors are responsible for protecting their shareholders, employees and stakeholders against legal problems that may result from cyber risks.
Making Cybersecurity a Regular Item on the Agenda
Board directors need access to cyber experts on a regular basis. This can be a company IT expert, chief security officer, or chief information officer. Many boards are starting to look for cybersecurity experts who also have desirable qualities as board members to round out their board composition.
In addition to having access to a cybersecurity expert, board directors need to make time on the agenda for discussing cyber risk matters. Discussion should include the corporation’s overall cybersecurity strategy, current projects and challenges. Board discussion should consider any budgetary or other needs that the cybersecurity team needs to perform its job satisfactorily.
Boards should also be aware of how their competitors are protecting and defending themselves, so they can learn from their experiences and improve their own security.
In addition, boards need to become acquainted with any third parties who perform independent testing and checks on cyber health.
Cybersecurity in the Boardroom
Cybersecurity starts in the boardroom. Besides having cybersecurity and data protection on the agenda for every board meeting, the board of directors also needs to be utilizing the best practices for cyber-protection. With technology becoming an ever present asset in boardrooms, directors need to make sure that the software they are using provides them with the right protection. This includes everything from mobile devices to board portals. Board members should run their own risk assessment on the devices that they are using and ensure that their communication methods do not expose board materials to malicious attacks. Email should be avoided and replaced by a secure communications tool that can prevent board materials from being sent to an outside party by mistake.
Additionally, the board of directors should be looking for the right suite of products to make sure that they are using as little technology in the boardroom as possible. This is available through the Diligent Governance Cloud, an integrated enterprise governance management solution that enables organizations to achieve best-in-class governance, digitizing the various activities and tasks for the board of directors. As organizations grow more complex and regulations more stringent, the scope of governance responsibilities evolves. The Governance Cloud allows boards of directors to meet the demands in the boardroom and beyond with the ability to select the products they need that help them perform their best and work within their allotted budgets.
Internal Audits Are Best Practices for Internal Controls
Regulations require boards to perform an annual audit of their finances and operations. Boards can also use an internal audit process as a tool to assess the cybersecurity health of the company. An internal cybersecurity audit should cover all domains of cybersecurity. External security firms can be instrumental in helping boards maximize their findings and making recommendations for improvements.
Boards Perform Duties Related to Legal Oversight
Board directors need to think beyond their own entities in their oversight of cyber risk.
Many corporations contract with third-party cybersecurity providers. Boards need to know who all third-party service providers are and review contracts, so they know the different areas for which each party is responsible.
Boards also need to be current with all state laws and laws from other countries that apply to their operations. This entails knowing where their corporations do business and sharing information and staying current with data privacy and breach notification laws in those states and countries. Along those lines, boards need to know who the appropriate local, state, national and global authorities are in case they need to report a breach or an attempt at a breach.
Cybersecurity Framework Requires Clear Lines of Accountability
Providing cybersecurity oversight means that board directors need to impress upon managers the importance of communicating how cyber risks factor into enterprise risk management. In addition, boards need to dedicate funding for IT operations that contains a subcategory for spending on security.
Corporations are still tweaking how to structure their management to cover all gaps in cybersecurity management. Various titles, including CISO, CIO, COO and CEO, are all appropriate as long as their job descriptions are clear, and all managers understand their duties.
Cybersecurity Is an Enterprise Management-Level Risk
Cybersecurity is an enterprise management-level risk just like other enterprise management areas. Thus, the board and management should assess cybersecurity as they would any other risk. Boards need to look at cybersecurity in relation to how to avoid it, how to mitigate it, how to insure against it and how to make decisions about aspects of risk that they can reasonably accept. The board also needs to weigh the level of risk against the amount and types of coverage on their cyber risk insurance policy to ensure that the coverage limits are adequate.
Cyber risk analysts should be able to assist the board in providing data about financial costs and reputational costs in the event of a breach.
Essentially all of a board’s duties are governance duties, including cybersecurity. Because of the strong degree of cybersecurity risk and their lack of knowledge about it as compared with other areas of governance, today’s boards need to give special attention to their governance duties concerning cybersecurity.