Emerging Cybergovernance Discipline Protects Directors from New Risks
How can directors actively oversee cybersecurity to meet their duty-of-care obligation to shareholders?
This article originally appeared in the May/June edition of NACDonline.org
Despite an estimated $70 billion spent annually on cyber technology and services, the potential fallout from cyber breaches is increasing, and with it the risk to companies and directors. In a recent NYSE survey of 276 public board members, 60 percent said they expect an increase in shareholder suits and 72 percent expect more regulation related to cyber risk governance.
In “Cyber Risk: The Least You Need to Know” (NACD Directorship, January/February 2016), the authors enumerated critical issues for 2016 board agendas. Their aggregation of key concerns highlighted the emergence of a new board discipline that could be equal to financial governance in its impact on risk, yet requires its own focus, processes, and tools.
Managing Cyber Risk: Who’s Responsible?
Frequent headlines in recent years about large breaches of commercial enterprises and governmental agencies support the contention often stated by Ted Schlein of Kleiner Perkins and others: “There are only two types of companies in the world: those that have been breached and know it, and those that don’t.”
For years, responsibility for cybersecurity fell solely upon the chief information officer and information technology staff. Executive management expected these leaders and teams to make sure the organization’s networks were safe. While the threat of a breach was established, the risk was perceived as relatively manageable. More recently, the frequency and impact of breaches has revealed a divergence between information technology (IT) and security concerns.
Asking IT to focus on operational efficiency and budgetary restraint conflicts with the need to spend large amounts on defensive technology for cybersecurity. In response, many organizations have established a chief information security officer (CISO) who reports to the CIO. As the tension between security (“spend”) and IT (“don’t spend”) grows, the trend is to elevate the CISO to the C-suite, alongside the CIO. While the CISO continues to rely on IT to manage cyber resources, their concerns extend to broader issues, e.g., cybersecurity training for the workforce and tighter vetting of cyber risk introduced by outside vendors and partners.
With the realization that cybersecurity is not exclusively an IT problem and that a breach can represent a significant threat to valuation, the responsibility for improving organizational cyberattack readiness has become a continual concern for the board of directors. Statements and actions by the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) are pressuring directors to assume a larger role in leading their companies to greater cybersecurity maturity. Addressing cyber risk is rapidly becoming a mandatory aspect of the board’s fiduciary responsibility to minimize other risks to corporate value.
The Evolution of Cybergovernance
Following a rash of corporate fraud in the late 1990s, the passage of the Sarbanes-Oxley Act of 2002 initiated a sea change in financial reporting standards that transformed board financial governance. Governance of cybersecurity, known as cybergovernance, is tracking the path laid over a decade earlier
by the emergence of stricter financial governance.
The parallels between financial governance and cybergovernance are striking. Both started with highly publicized events that threatened valuations and shook investor confidence, inspiring a search for better ways to mitigate risk. While the cyber equivalent of the Sarbanes-Oxley Act is not yet in place, the number of bills being introduced suggests the impending likelihood of significant legislation.
The knowledge gap between board members and CISOs frustrates both parties. CISOs want to educate boards by presenting key statistics about operational threats, yet they often use terms that few directors understand. Directors have a different perspective. They want to understand the business risk in terms related to other forms of risk. Imagine trying to conduct a board meeting where board members and management speak different languages.
In response to this gap, we are witnessing the emergence of a new board discipline: cybergovernance, i.e., cybersecurity oversight.
Looking for Answers
In striving to enhance cyber risk oversight, boards are searching for the best ways to provide more effective cybergovernance. Two non-exclusive paths have emerged.
Adding a cybersecurity expert to the board may make sense for some organizations. Large companies taking this approach include AIG, Delta Air Lines, General Motors, and Wells Fargo & Co. For many companies, though, daunting issues challenge the widespread adoption of this approach as a cyber risk governance solution.
The 2014 Cisco Annual Security Report projected a shortage of as many as 1 million qualified IT security professionals globally for public and private sector organizations. The challenge of finding a candidate who is both a cyber expert and qualified to meet the fiduciary responsibilities of a director prevents all but the largest, best-resourced companies from pursuing this strategy. Moreover, adding a cyber expert can increase the board’s liability by crossing the line from oversight to management.
The assessment of cyber maturity against accepted standards is being adopted as a way to measure an organization’s progress toward cybersecurity. In recent years, standards developed by highly respected bodies have helped to illuminate the state of cyber breach readiness.
The National Institute of Standards and Technology (NIST) Framework for Improving Critical Cybersecurity Infrastructure is the current gold standard in the United States for evaluating the efficacy of cyber risk mitigation, and it is effective for the following reasons:
- Objectives are stated in comprehensive and comprehensible business terms.
- The framework assesses not only the prevention of external threats, but internal improvements in culture, and advances in managing external supply chain risk as well.
- The NIST framework and other leading compliance frameworks are non-prescriptive, allowing management to tend to the details while keeping everyone informed of the organization’s risk mitigation status.
The Sarbanes-Oxley Act of 2002 profoundly changed the public attitude toward governance and led to greater expectations for the accountability of directors. Similarly, cyber breaches are another wave of change that can’t be ignored. The board’s fiduciary responsibility to mitigate risk now extends to improving board oversight of cybersecurity.
Most directors realize the threat cyber risk represents to their company and to the nation’s economy. Directors are being found liable for cyber systems failures. Governing agencies (e.g., the SEC, FTC, and others) are taking regulatory action against boards and management with the full support of the courts. Derivative suits are increasing, and defending against them is expensive and time-consuming, regardless of the outcome.
You and your board are not alone. The need for leadership is acute, and the reputation of organizations and individuals is at risk. Every company is different, and directors should choose the level and types of engagement that are appropriate for their board. CEOs and directors everywhere are grappling with the threat that cyber breaches represent to the value and reputation of their company. Effective leadership involves rising to the challenge through a thorough understanding of the problem and an eagerness to apply new concepts to address it.
Bob Barker is chief strategy officer at Cybernance Corp. and the editor of and a regular contributor to its Cybergovernance Journal.