How boards can improve their cybersecurity oversight
A new report details how directors can step up their oversight of cyber risks by insisting that cybersecurity be a business discussion, with the right senior executives in the room, and by gaining a more sophisticated understanding of the threats.
The report, Overseeing Cyber Risk, published by the Harvard Law School Forum on Corporate Governance and Financial Regulation, notes that cyber threats are everywhere. Breaches cost companies — both in money and reputation — and these are rising. Indeed, Cybersecurity Ventures predicts that the global annual costs will double from US$3 trillion in 2015 to US$6 trillion by 2021.
Yet, the report notes that many directors are not confident that management has a handle on cyber threats. PwC’s 2017 Annual Corporate Directors Survey, for example, found that only 39 per cent of directors are very comfortable that their company had identified its most valuable and sensitive digital assets. And, a quarter had little or no faith at all that their company had identified who might attack it.
The authors of the report — Paula Loop and Catherine Bromilow from the Governance Insights Center in the US, and Sean Joyce, the US cybersecurity and privacy leader at PwC — say the first step is for the board to recognise that the responsibility for handling cyber risks goes well beyond the chief information security officer (CISO).
The report notes that boards shortchange the time they give to discussing cyber risks. In addition, few boards have directors with current technology or cybersecurity expertise and that puts directors at a disadvantage in being able to figure out if management is doing enough to address cyber risks.
To help boards deal with these issues, the report’s authors list the following questions to examine, along with some advice:
Q. Since cybersecurity is really a business issue, should the full board oversee it?
If the full board doesn’t want to oversee it, ensure that — at a minimum — whichever committee is assigned the responsibility provides regular and comprehensive reporting up to the whole board. And, consider moving cybersecurity from the already overloaded audit committee to another board committee.
Q. Does the board need more cybersecurity or technology expertise?
For some companies, the answer will be to recruit a director with serious cybersecurity expertise. But people with these skills are hard to find, especially since the technology landscape is changing so quickly. Some boards may not have room to add another member. Others may not want to add someone with such specific expertise unless they’re confident that person could handle other board matters as well. So instead they may look for other ways to address any gap, including continuing education and using outside advisors.
Q. Is everyone in the room who needs to be?
The cybersecurity discussion should include business, technology and risk management leaders, as well as the CEO and CFO. This will reinforce cyber as an enterprise-wide issue and show that directors expect everyone to be accountable for managing the risk.
Q. Do the board have the information needed to oversee cyber risk?
First, consider whether you have the basic information you need on the company’s IT systems and security resources. This type of information doesn’t change much, so directors are likely to only need periodic refreshers. But they will want more frequent reporting on what does change.
It’s also helpful for directors to see whether management believes cyber risk is increasing, stable or decreasing. They should also insist on being provided with a good dashboard that gives them an at-a-glance understanding of the company’s cyber risk.
Q. Has the board built a relationship that allows the CISO to be candid with us?
The CISO has a lot of responsibility but doesn’t always have the authority to insist that other technology and business leaders fall in line. A strong relationship with the board helps the CISO feel comfortable giving directors the true picture (warts and all) of cyber risks, including a view on whether resources are adequate. Periodic private sessions with the CISO are a key part of understanding whether the company is doing enough to manage these risks.
Q. How can the board determine whether the controls and processes designed to prevent data breaches are working?
Speaking to objective groups, such as internal audit, can offer it different perspectives. The board may also want to hire its own outside consultants to periodically review the state of the company’s cybersecurity.
The reports’ authors also provide these tips on how directors can improve their own knowledge of cybersecurity:
- Hold deep-dive discussions about the company’s situation. That could include the company’s cybersecurity strategy, the types of cyber threats facing the company and the nature of the company’s 'crown jewels'.
- Attend external programs and conferences.
- Ask management what it has learned from connecting with peers and industry groups.
- Ask law enforcement and other experts to present on the threat environment, attack trends and common vulnerabilities.