Enhancing Board Oversight of Cyber Risk
The role of corporate directors in cyber risk oversight has been cast into spotlight by a succession of high profile cyber risk events, including recent hacker incursions at Equifax, Uber, Facebook, Google and several other well-regarded corporations. Regulators are also tightening the squeeze, seeking positive affirmation from boards that their cyber risk governance structures are effective and fit for purpose.
The rising customer, investor, shareholder and regulatory expectations have merit; most data breaches have their roots in profound lapses in corporate governance, not technology, as commonly perceived. Given the stakes are so high, an increasing number of corporate directors are seeking deeper insight into cyber risk and its potential impact on their strategic priorities and regulatory compliance.
But despite the growing enthusiasm, most corporate directors still find cyber security highly cryptic and existing frameworks tedious. Predictably, a recent Deloitte study painted a grim picture regarding CEOs and directors’ involvement in cyber security, with only 38 percent of polled CEOs and 23 percent of board members identifying themselves as “highly engaged” in the subject.
So, how can corporate directors play a leading role in reducing their enterprise cyber risk profile? Based on my experience helping enterprises develop cyber resilience strategies and governance frameworks, here are four practical recommendations.
Develop a strategic understanding of cyber risk and its business implications
To truly fulfill their oversight responsibilities, corporate directors should proactively address knowledge gaps and get up to speed with cyber risk and its potential impact on business value chain, margin, customer retention, and other key priorities. At the very least, they can appoint a tech-savvy director to the board or employ an independent expert to uncover their enterprise’s cyber blind spots and provide industry level insights into key vulnerabilities and response measures. But to develop the necessary smarts to challenge complex cyber issues and provide effective strategic counsel, corporate directors ought to pursue cyber literacy courses, such as the Cyber-Risk Oversight Program. Established by the National Association of Corporate Directors (NACD) in conjunction with the CERT Division of the Software Engineering Institute at Carnegie Mellon University, this self-paced online program provides corporate directors with tangible credential to demonstrate advanced understanding of their cyber risk oversight responsibilities to investors, regulators or shareholders.
Strengthen cyber risk governance structures
Underpinning any cyber resilient environment is a strong governance framework. With that end in mind, corporate directors should challenge management to establish a cross-functional cyber risk committee comprised of senior executives from key functions, such as general counsel, marketing, public relations, operations, technology, finance and compliance. Chaired by the chief information security officer (CISO), the core mandate of this committee is to ensure the enterprise maintains adequate cyber defence and response measures, carefully balancing opportunity and risk. The cyber risk committee also challenges the cyber resilience strategy, enabling the CISO to prioritise the protection of high-value business systems, while cutting off low value initiatives. Using business-centered metrics and commentary, the cyber risk committee should report to the board on a regular basis, at least quarterly.
The board of directors can also enhance cyber resilience by challenging management to maintain an adequately resourced cyber security function. To do this, they should ensure that the CISO have enough organizational clout, reports directly to the CEO, and has regular access to the board. An empowered and decisive CISO promotes business resilience and efficiency as she can swiftly veto decisions that expose the enterprise to excessive risk, enhancing cyber resilience while promoting business agility. Unfiltered conversations also help the board and the CISO to engage at a deeper level and create shared perspectives, bolstering trust while informing the CISO of top business priorities. They also give the board ground level insight into critical cyber security exposures, alignment of cyber security investments to corporate goals, comparison of cyber security capabilities against industry peers, and other important matters. On the contrary, as i wrote in my Amazon best-selling book, “channeling critical messages through hierarchies can impede on transparency or dilute messages”.
Validate cyber crisis response measures
No matter how good a cyber resilience framework is, it’s bound to get better if it is regularly tested and refined. The board has a responsibility for ensuring that a comprehensive cyber crisis management plan is in place and response capabilities are regularly tested against high-impact scenarios. Stress testing cyber response capabilities in controlled environments validates key assumptions, uncovers defective procedures and clarifies key responsibilities – reinforcing muscle memory and instilling business confidence.
Furthermore, cyber scenario drills answer some important questions, for example:
Who makes critical decisions during a cyber crisis event, such paying ransom if vital business files are rendered inaccessible without up-to-date backups?
Who is authorised to speak to the media, regulators, key customers or shareholders in the event of a major data breach?
Which business functions are a priority if IT resources are significantly constrained by a cyber attack?
Does the enterprise have pre-canned messages for call center staff to provide consistent messages to customers in the event of a data breach?
Attempting to make these critical decisions during a cyber emergency can lead to significant missteps, conflicted messages or internal squabbles, aggravating an already dire situation.
Understand data protection legal obligations
The barrage of data breaches has prompted several countries to tighten data privacy laws. A case in point is the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. Widely considered one of the toughest data privacy laws to date, the GDPR gives internet users greater control over their data and imposes stiff penalties (up to 4% of global revenue) to non-complying entities. Several other countries – such as Canada, China and Australia – have enacted their own versions of data protection laws. To effectively deliver their duties, corporate directors must develop a good understanding of laws that govern the collection, use, disclosure and management of consumer information within jurisdictions they operate in and ensure there is a clear road map to address any regulatory gaps.
At the same time, regulators are also demanding directors to provide demonstrable oversight to cyber resilience programs. For instance, in 2017, the New York Department of Financial Services (NYDFS), imposed a requirement for CISOs of covered entities to provide annual cyber security reports to their boards or equivalent governing body, detailing the cyber security program and material cyber security risks. Other regulators will likely follow suit, holding directors personally accountable for failures in cyber risk oversight. Therefore, corporate directors should acquaint themselves with key areas of potential personal take necessary measures to fulfill their cyber risk oversight obligations, thus preserving their reputations.
Despite the billions of dollars invested in cyber security solutions every year, the bad guys keep outsmarting enterprises – pilfering billions of sensitive records, manipulating stock markets, stealing trade secrets and committing several other egregious acts. Its become clear that change driven solely by technology will not suffice; real transformation needs to start up higher, with the board holding management accountable for maintaining strong cyber defence and response measures.