By Robyn Bew – Director of Research for the National Association of Corporate Directors (NACD)
Cybersecurity is no longer an emerging issue. Major headlines about breaches in both the public and private sectors have put the topic on every company’s agenda, regardless of size, industry or geographic location. Just like the management teams they oversee, corporate directors are very well aware of the ‘what’: the fact that cybersecurity is a significant threat. What they are looking for is the ‘how’: specific action they can take to be more effective in overseeing management’s activities.
One independent director – a committee chair of a Fortune Global 100 corporation – recently told me: “Cybersecurity is uncharted territory. As directors, we have to depend on staff whose capabilities we aren’t equipped to judge, it’s difficult to measure progress and there’s no way to tell if we’re doing enough.”
Directors seeking to assess the effectiveness of their board’s cyber-risk oversight can ask three questions: ‘Do we understand the nature of the cyber threat as it applies to our company?’, ‘Do our board processes and structure support high-quality dialogue on cyber matters?’ and ‘What are we doing to stay current as the cyber-threat landscape continues to evolve?’.
Do we understand the nature of the cyber threat?
It seems as though a different story about malicious attacks, data breaches, downed websites or stolen personal information appears in the news on a weekly, if not a daily basis. It’s easy to get caught up in the headlines, but board members should ensure that they have a clear understanding of their company’s specific cyber-risk profile – one that takes into account characteristics such as industry sector, lifecycle stage, geographic footprint, value chain, partnerships and affiliations, organisational structure, corporate culture and risk appetite. This approach avoids pigeonholing cybersecurity as an ‘IT issue’. Instead, boards should define and treat it as an enterprise-level risk – one of the five principles of cyber-risk oversight developed in recent research by the National Association of Corporate Directors (NACD).
Directors should also ask questions about the legal implications of the company’s cyber-risk profile, including relevant regulations and reporting requirements of the various jurisdictions in which the firm operates, as well as potential areas of liability for board members (individually and/or collectively).
Do our board processes and structure support high-quality dialogue on cyber matters?
A question we often hear from NACD members is: “How should we allocate responsibility for cyber-risk oversight at the board level?”
There is no single answer or best approach that will fit every board – some boards conduct all cyber-risk related discussions at the full-board level, others choose to assign specific cyber-oversight responsibilities to one or more committees (audit, risk, technology, etc), and others will use a combination of these methods. The board’s chosen approach should be clearly defined in committee charters to avoid duplication of effort.
Some boards go a step further and invite all directors to attend committee meetings on cyber issues or employ cross-committee membership, to encourage knowledge-sharing and dialogue. For example, one global company we know of has a technology committee whose members include experts on privacy and security from a customer perspective. The audit and technology committee chairs are members of each other’s committees and the two committees meet together once a year for a discussion that includes a ‘deep dive’ on cyber.
“Technologies continue to advance, attackers are becoming increasingly sophisticated and new categories of threats seem to emerge all the time”
In addition to including cybersecurity as a specific topic on the agenda of the full board and/or key committees, directors should also ensure that cyber issues are included in the board’s discussions about strategy and business plans, new product and market-entry proposals, transactions, capital investments, JV opportunities and so on – in other words, as an enterprise-wide risk, cybersecurity must be integrated into a wide range of boardroom conversations rather than being left in an IT silo.
Efficient and productive boardroom dialogue also requires good information from the management team. In NACD’s latest survey of more than 1000 public-company directors, only 13 per cent of respondents said they were ‘very satisfied’ with the quality of information they receive from management on cyber-risk and related IT risks – and less than two per cent reported high satisfaction with the amount of information provided by management on those topics. In addition to reports tracking attack and intrusion patterns, board members should ask for regular briefings – in plain language and with a minimum of technical jargon – on ‘situational awareness’ issues, including the company’s most critical data assets and likely cyber-adversaries, the biggest areas of vulnerability and the results of recent system penetration tests or external assessments of the company’s defences.
Directors should also ask for information about the ways in which cyber-threat management is built into company policies, operating plans, employee training programs and the like, as well as information about the company’s incident response protocols, including external and internal communications and business continuity plans.
What are we doing to stay current as the cyber-threat landscape continues to evolve?
One of the most disconcerting aspects of cyber-risks is the speed with which they are growing and changing. Technologies continue to advance, attackers are becoming increasingly sophisticated and new categories of threats seem to emerge all the time. For the average (that is, non-cyber expert) board member, even feeling informed enough to ask good questions can seem like a daunting challenge, as the Global 100 director’s comment indicated. Nonetheless, there are a few practical steps that board members can take.
First, ensure that management is keeping cyber-risk mitigation strategies and breach response plans up to date through ‘field-testing’ (via simulation exercises or role plays) and incorporation of lessons learned after events occur.
Second, look for opportunities to bring expert perspectives into boardroom discussions. Some boards may choose to do this via director recruitment, although, as with other types of highly-specific director skillsets, cyber expertise may be more of a priority for some boards than for others, depending upon industry and other factors. Every board, however, can tap into the knowledge of its existing advisors, such as the external auditor and outside counsel – many of these firms have highly-developed expertise in specific aspects of cybersecurity. In addition, more and more boards are requesting briefings from third-party experts, such as government agencies, law enforcement or specialist cybersecurity firms. This outside information does not replace reporting from management; rather, it should be considered complementary.
Third, ensure that management is maintaining relationships with relevant law enforcement authorities and industry cyber-information exchanges.
It has become an unfortunate cliché that there are only two types of companies in the world – those that have been hacked and those that don’t yet know they’ve been hacked. In today’s environment, it is unrealistic to expect that boards of directors can prevent cyberattacks.
The board’s role is to apply sound business judgement and provide “effective guidance to management, in order to ensure the company’s cybersecurity strategy is appropriately designed and sufficiently resilient”1 in the context of the competitive environment in which the firm operates.
About The Author:
Robyn Bew is Director of Research for the National Association of Corporate Directors (NACD). Before joining NACD, Ms. Bew was a Principal at Tapestry Networks, where she ran several networks of large-cap public company board members, and was a leader of the firm’s work on bank governance and board-shareholder engagement issues. She has been a featured presenter on governance topics at conferences of the Institute of Internal Auditors, the National Retail Federation, the International Financial Risk Institute and the American Chamber of Commerce in Beijing. Earlier in her career, Ms. Bew was a Senior Director at the Corporate Executive Board and a management consultant at Monitor Group.