Cyber-attacks continue to escalate. For example, Toyota drew unwanted attention this year, when, in the spring, it announced two data breaches in a matter of weeks. The attacks involved Japanese Toyota and Lexus dealers. It was reported that the attackers were able to gain access to a server that was tied to the company’s entire network. The companies acknowledged that the breach may have opened the door to the data of 3.1 million people. It is still not clear whether credit card information was accessed. And, of course, we all remember the massive Equifax data breach that led to the exposure of the personal and financial data of 148 million Americans and cost Equifax at least $650 million to settle lawsuits stemming from the attack.
With cybersecurity risk steadily increasing, it is not surprising that cybersecurity is a top-of-mind issue for Boards. But how can Boards translate this serious concern into more effective leadership in the cybersecurity field?
It is critical in today’s digital environment for both the C-Suite and the board to be “digitally conversant.” In spring 2019, MIT published a study demonstrating that companies whose board membership included at least three “digital-savvy directors” were likely to achieve increases in profit margins of up to 7% and a 38% increase in revenue growth. The MIT study described this increased knowledge of the digital world as the “new financial performance differential.”
There are a number of steps that can be taken to create a digitally educated board.
Assess Your Board’s Digital and Cybersecurity Expertise and Fill Knowledge Gaps
Boards should certainly consider adding a Board member with specific cybersecurity expertise and determine that other members possess the “digital savvy” to understand and build on that Board member’s cybersecurity knowledge and skills.
Among other things, a board member with strong cybersecurity expertise can:
- Both train and educate other board members on cybersecurity matters and oversee a more focused training program (see below);
- Direct an assessment of the company’s existing cybersecurity risk. This will require a director with the ability to build a strong relationship with senior management and, in particular, the Chief Information Officer;
- Develop, in conjunction with the officers noted above and the other board members, a comprehensive plan that is designed both to address a cybersecurity attack and to respond to one promptly and efficiently if disaster strikes; and
- Oversee frequent board discussions on cybersecurity.
In sum, a cybersecurity-educated board member must be able to clearly elevate the company’s knowledge of cybersecurity risk and its awareness of its importance.
Exhaust the Exchange of Information Between the Company and the Board
The first step in educating board members about cybersecurity should be developing an agenda with adequate time set aside for intense interaction and information sharing between senior management and the board on current cybersecurity risks and the processes in place to address them. The purpose of these sessions should be for management and the board to present and answer any and all questions about the company’s cybersecurity risk. These interactions should be both timely and frequent. They should become an ongoing part of the board’s continuing responsibilities. Management should be charged with explaining all aspects of the company’s cybersecurity policy and be able to clearly explain all changes, refinements and improvements to cybersecurity policies and the reasons for each.
To help maximize the benefits of these interactions, the board may find it useful to hire an outside facilitator for these question-and-answer sessions. If the board already has a member who is a cybersecurity expert, that member may be best suited for this role. Many boards have established separate advisory boards or committees whose role is to focus exclusively on cybersecurity risk and response. Such a committee might oversee and manage the management-board sessions.
The Council of Institutional Investors has proposed a number of questions for the participants in such sessions to ask of themselves. Each category of questions is designed to maximize the educational benefits and understandings achieved. A list of questions might include:
- What has the company’s experience been with cyber-attacks? How frequently have these occurred, and what was the severity of and consequences from each? What changes have been made to assure that such an attack will not occur again?
- How are the company’s cyber risks communicated to the board, by whom and with what frequency? How is the company organized to appropriately address cybersecurity risk?
- Has the Board evaluated and approved the company’s cybersecurity strategy and policy? If not, how best to review and approve the company’s approach?
- How does the Board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
- How does the Board evaluate the effectiveness of the company’s cybersecurity efforts?
- When did the Board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance? How should this be accomplished?
Formal Cybersecurity Training Programs for Boards
In 2014, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) was developed to assist “organizations — regardless of size, degree of cybersecurity risk or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.” The CSF “focuses on using business drivers to guide cybersecurity activities and [considers] cybersecurity risks as part of the organization’s risk management processes.” Other frameworks are used as well. ISO 27001 has provided requirements for information security management systems for years.
Thoroughly understanding these high-level standards for establishing and implementing best practices in cybersecurity is, in itself, a valuable educational process. NIST provides separate training as well. There are myriad training programs for directors, for example, here and here.
The board’s cybersecurity expert and its advisory committee on cybersecurity should conduct a thorough review of relevant training programs and interview the companies to determine which program best suits the board’s needs.
Without doubt, cybersecurity challenges are among the most complex that a board needs to address. Though a cyber-attack may, in the end, be unavoidable, it is imperative that boards educate themselves early and continually. All the suggestions above should be complementary and can be undertaken in parallel. Most importantly, boards must be willing to constantly update their own educational tools as they continue to deepen their knowledge.