What’s at stake for today’s companies and consumers? How are other boards structuring oversight? What should directors know about their liability risk in the wake of a data breach? Should boards be recruiting cyber experts? These are the questions we explore in this Module of the Board Oversight Series.
With such a large part of today’s market value concentrated in digital assets, a cyberattack becomes one of the greatest dangers facing a company today. How much cyber risk is your organization willing to sustain on the road to long-term growth? This is the question today’s board members must answer as they navigate a rather high-stakes game of risks and rewards.
Use our navigation below to jump to Module sections. Or simply start scrolling down to read the full overview. Feel free to bookmark this page, as we’ll update it frequently with new resources.
Why is Cyber Risk So Challenging to Oversee?
Cyber risk encompasses a spectrum of threats and motives.
Cyber risk is defined by RSA as “the potential of loss or harm related to technical infrastructure or the use of technology within an organization”. A full understanding, however, necessitates that cyber risk be further categorized by intent (malicious or unintentional) and source (internal or external). Understanding cyber risk along these dimensions is key to structuring a company’s defenses. A data breach, for example, may not always be criminally motivated, and certain industries may be more likely to experience internal vs. external threats.
Cyber risk is complex, unfamiliar, and continuously evolving.
Cyber risk oversight–and its technical concepts and vocabulary–can feel foreign to directors. At an average age of 63, the vast majority of today’s board members didn’t encounter cyber risk during the course of their careers–at least not at the level today’s organizations must operate. However, directors must recognize the similarities between cyber risk and other types of risk oversight, which they’ve long managed. Each member of the board is ultimately responsible for getting themselves up to speed and acquiring the language necessary to ask the right questions.
[Boards shouldn’t] think that [cyber] is something so technical and brand new that they don’t have a handle on it. Boards have dealt with risks of all kinds within their organizations in the past—they have adopted new risks over time. If they’re skilled and feel confident doing that, then they should feel confident about cyber.
This resource from RSA offers a comprehensive definition of cyber risk and identifies the management team members who should be involved in structuring oversight.
It's important for today's board members to familiarize themselves with today's cyber risk landscape. We identify four emerging cyber trends that organizations should have on their radar.
Small companies often mistakenly believe that they would be less attractive to a hacker when compared to larger companies with more valuable assets. In reality, near half of all cyberattacks are committed against small business.
How Should Boards Be Approaching Oversight?
Recognize that cybersecurity is an enterprise-wide initiative—not just an IT issue.
Historically, cybersecurity has been relegated to the IT department. Once or twice a year, the head of IT would make a technical presentation to the board that often left eyes glazed. Fast forward to today, and critical board discussions of strategy and risk are increasingly reliant on an understanding of the company’s cybersecurity posture. A siloed approach to cybersecurity will simply no longer suffice.
In the modern organization, every department–whether Marketing, Sales, Accounting, HR or Product Development–is likely working with different vendors and using technology in different ways. For this reason, every department must be involved in identifying and mitigating the company’s cyber risks. Many companies are incorporating a Chief Information Security Officer (CISO) into the management team to own the cybersecurity strategy and implementation across the organization. Yet, it’s often up to the other members of management to set the tone within their department and mitigate the cyber risks created by their department’s activities and third-party relationships.
Conduct an external analysis and leverage existing industry data.
Even though every company has a different set of risks and threat actors, understanding industry trends can shed light on where cybersecurity time and budget may be best allocated. For example, the majority of cyberattacks in the U.S. hospitality industry can be traced back to external actors targeting customer payment information. Compare that to hospitals and healthcare organizations, where breaches are more likely to originate internally from human error. Knowledge is power when it come to understanding the company’s most likely cyber adversaries and their motivations.
Don’t overlook the human factor.
The “human factor” is all too often overlooked in board discussions of cyber risk. Consider the fact that 91% percent of successful hacks originate from phishing emails (i.e., fraudulent emails designed to extract valuable information from employees). Today’s boards should press management to explain what is the company doing to teach employees about the most common cyber risks and how to report them. Although difficult to measure, a cyber awareness training program is often one of the most impactful things the board and management team can implement on the road to cyber resilience.
Everyone is a source of cyber risk. Public failures become personal. Personal failures become public. Even seemingly small lapses in judgment or policy oversight can have dire consequences.
In this report, Verizon paints a picture of the cyber threat landscape including data by industry. Which industry experiences the highest number of cyber incidents? What can you learn about your organization's most likely threats?
As more organizations recognize the role of employee error in cyberattacks, spending on cyber awareness training programs is expected to hit $10 billion by 2027. We outline the elements of an effective employee training program.
Mandiant, a FireEye company, looks at global trends in cybersecurity. Specifically, this report examines cyber breach data by industry, internal vs. external threats, and global dwell times (i.e., the time it takes for a company to discover an attacker on the network).
NIST Cybersecurity Framework
Leveraging framework components to reach a better cybersecurity posture.
The “Framework Core” entails five functions: (1) identifying the assets, systems, and people that comprise the organization’s cyber risk profile, (2) prioritizing safeguards to protect the company’s most valuable assets, (3) implementing the appropriate systems to detect the most harmful/likely threats, (4) outlining a timely response plan that considers all stakeholders, and (5) detailing actions necessary to recover and restore protections following a breach.
In the latest version of the framework, NIST reviews the changes implemented as of April 2018. This comprehensive document guides boards through the three main components: Framework Core, Implementation Tiers, and Profile.
This blog provides additional context around the development of the NIST framework, including a summary of its main components.
Governance & Composition
Should we recruit a cyber expert to the board?
Less than one-fifth of directors say they are satisfied with the current levels of IT or cybersecurity expertise on their board. Yet many boards debate whether recruiting directors with cyber expertise is actually the best strategy for board oversight—especially since these candidates typically lack broader operational experience. Many boards are taking a chance on these first-time directors, while others are electing different methods for incorporating cyber expertise.
What conversations does our board want to be having around cybersecurity?
Not all cybersecurity experience is the same. Even after a board decides it needs a cyber expert, there are many layers to peel back, says Spencer Stuart’s Jason Baumgarten: “What conversations does your board want to be having around cybersecurity that you feel unable to do with your current board expertise?” By asking this simple, powerful question, says Baumgarten, boards begin to evaluate their needs through a different lens.
In our blog titled, Should We Recruit a Cybersecurity Expert to the Board?, Baumgarten outlines the types of introspective questions that should precede any board search: How much time are we going to be spending on cyber risk in the boardroom? Given our business model, are we more concerned about third-party risk or about the ethical and regulatory aspects of data management? Do we need an enterprise CISO or someone who’s lived through a specific episode or disruption? Are we better off creating an advisory board vs. recruiting a full-time director? Thinking through these questions beforehand will always result in a better long-term fit.
…people are recognizing that having a CISO on the board is not necessarily a clear path to shifting the discussion around cybersecurity…A lot of the cyber challenges that today’s companies are facing are not just the traditional cyber issues–rather, they’re regulatory, they’re business-model driven, and they involve broader ethical questions around how to interact with data and machine learning.
This resources from Temple University's Fox School of Business overviews the various methods for structuring cyber risk oversight. It focuses specifically on the board's relationship with management and provides checklists following each section.
This cybersecurity resource from PwC's Governance Insights Center weaves in statistics from the Annual Corporate Directors Survey. What should be on the board's cyber risk dashboard?
This article from The Conference Board Governance Center takes a unique case study approach to examining cyber risk governance. Five board members are interviewed yielding insights on forming a dedicated technology committee, management reporting, third-party penetration testing, and more.
Elements of a Cyber Breach Response Plan
Line up any external partners or resources before a crisis hits.
The hours following a data breach is not the time to be interviewing new legal firms or PR agencies. The board and management team should arrange any external relationships ahead of time as part of the broader crisis response plan. In our blog titled, Before the Breach: 4 Board Lessons in Cyber Breach Preparation, Betsy Atkins outlines various third-party relationships to consider including legal firms, PR and IR agencies, forensic consultants, contacts within law enforcement, etc. The crisis plan should indicate: (a) when these partners get notified and (b) what their responsibilities are.
How does cyber insurance fit into the organization’s total risk management process? This paper from Women Corporate Directors outlines the questions that boards should be asking management, along with an overview of the current cyber insurance landscape.
From establishing external relationships to outlining a ransomware policy, there are several steps boards should be taking now to ensure they're prepared for the worst.
Disclosure & Liability
What should boards know about liability related to cyber risk?
Boards have a duty to oversee risk across the organization–a duty that stems from their basic fiduciary duties of care and loyalty. In this episode highlight, William Chandler, Former Chancellor of the Delaware Court of Chancery, outlines a board member’s oversight duties related specifically to cyber risk.
In the case of a cyber breach, Chandler explained, a judge will determine the board’s liability based on the following logic: (1) Did the board have a system in place for monitoring cyber risks throughout the company? (2) Following its own system, did the board address any red flags in a timely manner?
Thus, not only should today’s boards have a process for overseeing cyber risk, but that process should be well documented. In our blog titled, Cyber Risk Oversight: Understanding Board Liability, the Wilson Sonsini Goodrich & Rosati team shares actionable steps board members can take to mitigate liability.
I use this old metaphysical story: If a tree falls in the forest, and there’s no one there to hear it, does it make a noise? The corporate law analog to that is: if a board follows an exemplary process but has no record of it, will the judge still respect what the directors did? You don’t want to find out the answer to that.
How should U.S. companies be approaching cybersecurity disclosure? We review current SEC guidance and outline cyber disclosure trends stemming from the latest proxy season.
What should boards know about their duties and liability related to cyber risk—particularly in the wake of a data breach? We review board oversight responsibilities and emphasize the areas where boards should be devoting the most time.
This Harvard Law resources provides a more technical overview of the current U.S. disclosure landscape including SEC guidance, U.S. state and federal notification laws, MAR and GDPR disclosure requirements.
Common Mistakes in Board Communication
2. Overlooking the implications and liability risk
When directors use personal channels for board communication, they seldom think about the implications should the company ever come under litigation. The Delaware Courts have held that any electronically stored materials relating to the business become the property of the company and are therefore “discoverable”. Thus, even if directors are using personal email, computers, or text messaging for incidental board matters, it could all be subject to e-discovery. Today’s corporate secretaries must set the tone for responsible communication practices and ensure their directors understand the dangers of communicating outside of a secure board portal environment.
In this joint research project, the New York Stock Exchange and Diligent surveyed nearly 400 directors to understand how they communicate with other members of the board. Which practices are the most common? Which ones pose the greatest risk?
As companies like Facebook and Google come under fire for data misuse, we discuss various implications for today’s board members and corporate secretaries.
In this blog, we review all the ways that email communication can put the board at risk. What guidelines should boards follow for safer, smarter communication?
Additional Cyber Risk Resources
Powered by NYSE Governance Services, this interactive cyber risk playbook is one of the best resources we've come across. This group of executives, directors and industry influencers presents a set of cyber risk guidelines based on real-word case studies.
In this special "highlights" video, we revisit past episodes to extract our best advice for boards on cyber risk–from structuring oversight to understanding liability risk.
This resource from PwC's Governance Insights Center outlines common obstacles boards face when overseeing cyber risk—from building dashboards to recruiting cybersecurity expertise.
Kathy Misunas, a board member with Tech Data Corp. and Boingo Wireless Inc., explains why her board(s) decided to form a Cyber Risk Committee. What was the catalyst? How did the committee evolve over time?
The NACD's Cyber Risk Handbook outlines five core principles that boards should follow to enhance their oversight of cyber risk across the organization. This resource is free to download for NACD members.
On the heels of last year's Next Gen Board Leaders Mini-Summit, we share key takeaways from the closed-door discussions. What mistakes are some boards still making when it comes to cyber risk oversight?
This tool from the Center for Audit Quality outlines a roadmap of questions for boards to be asking senior management and their CPA firm.
Christian Hoffman explains what a cyber risk insurance policy typically covers. What questions should boards be asking management about their company's need for cyber insurance?
In this two-part series by Corporate Board Member, Michael Chertoff, Former Secretary of the U.S. Department of Homeland Security, discusses what boards are often missing with regard to cybersecurity.