Cyber Risk

Welcome to the Board Oversight Series! These interactive web pages (i.e., Modules) are designed to take a deeper dive on critical board topics. This page is dedicated to Cyber Risk with ESG and Corporate Culture coming soon.

Fifty percent of S&P 500 companies will be replaced in the next 10 years...

…a sobering (and perhaps thrilling) statistic for today’s business leaders, yet one that reflects the immense pressure on companies to innovate or be left behind. As investors and market pressures drive organizations to become more digital, more global, and more sustainable, today’s boards are finding discussions of risk appetite to be a delicate balancing act.

cybersecurity posture

What’s at stake for today’s companies and consumers? How are other boards structuring oversight? What should directors know about their liability risk in the wake of a data breach? Should boards be recruiting cyber experts? These are the questions we explore in this Module of the Board Oversight Series.

With such a large part of today’s market value concentrated in digital assets, a cyberattack becomes one of the greatest dangers facing a company today. How much cyber risk is your organization willing to sustain on the road to long-term growth? This is the question today’s board members must answer as they navigate a rather high-stakes game of risks and rewards.

ransomware attacks

Use our navigation below to jump to Module sections. Or simply start scrolling down to read the full overview. Feel free to bookmark this page, as we’ll update it frequently with new resources.

Why is Cyber Risk So Challenging to Oversee?


cyber risk threat actors

Cyber risk encompasses a spectrum of threats and motives.

Cyber risk is defined by RSA as “the potential of loss or harm related to technical infrastructure or the use of technology within an organization”. A full understanding, however, necessitates that cyber risk be further categorized by intent (malicious or unintentional) and source (internal or external). Understanding cyber risk along these dimensions is key to structuring a company’s defenses. A data breach, for example, may not always be criminally motivated, and certain industries may be more likely to experience internal vs. external threats.

There’s more to lose than money and data.

The average cost of a data breach today is $3.9 million inclusive of legal fees, fines, lost productivity, crisis response efforts, remediation, and so on. However, these hard costs are only one part of the cyber risk equation. The loss of intellectual property, competitive insights, or consumer trust can often be the greatest source of long-term damage in the wake of a data breach. For this reason, boards should be putting near-equal weight on a comprehensive incident response plan, which is the board’s best tool for mitigating damage to stakeholder relationships, brand equity, and reputation.

PwC Annual Corporate Directors Survey on cyber risk

Cyber risk is complex, unfamiliar, and continuously evolving.

Cyber risk oversight–and its technical concepts and vocabulary–can feel foreign to directors. At an average age of 63, the vast majority of today’s board members didn’t encounter cyber risk during the course of their careers–at least not at the level today’s organizations must operate. However, directors must recognize the similarities between cyber risk and other types of risk oversight, which they’ve long managed. Each member of the board is ultimately responsible for getting themselves up to speed and acquiring the language necessary to ask the right questions.


[Boards shouldn’t] think that [cyber] is something so technical and brand new that they don’t have a handle on it. Boards have dealt with risks of all kinds within their organizations in the past—they have adopted new risks over time. If they’re skilled and feel confident doing that, then they should feel confident about cyber.

— Michael Kaiser, Former Executive Director, National Cyber Security Alliance

Section Resources:

Defining & Understanding Cyber Risk in the Modern Enterprise

This resource from RSA offers a comprehensive definition of cyber risk and identifies the management team members who should be involved in structuring oversight.

Looking Ahead: 4 Cyber Threats on the Rise

It's important for today's board members to familiarize themselves with today's cyber risk landscape. We identify four emerging cyber trends that organizations should have on their radar.

Cybersecurity Fact Sheet: Why Small Business Isn't Immune

Small companies often mistakenly believe that they would be less attractive to a hacker when compared to larger companies with more valuable assets. In reality, near half of all cyberattacks are committed against small business.

How Should Boards Be Approaching Oversight?


Recognize that cybersecurity is an enterprise-wide initiative—not just an IT issue.

Historically, cybersecurity has been relegated to the IT department. Once or twice a year, the head of IT would make a technical presentation to the board that often left eyes glazed. Fast forward to today, and critical board discussions of strategy and risk are increasingly reliant on an understanding of the company’s cybersecurity posture. A siloed approach to cybersecurity will simply no longer suffice.

In the modern organization, every department–whether Marketing, Sales, Accounting, HR or Product Development–is likely working with different vendors and using technology in different ways. For this reason, every department must be involved in identifying and mitigating the company’s cyber risks. Many companies are incorporating a Chief Information Security Officer (CISO) into the management team to own the cybersecurity strategy and implementation across the organization. Yet, it’s often up to the other members of management to set the tone within their department and mitigate the cyber risks created by their department’s activities and third-party relationships.


cybersecurity protect most valuable assets

Prioritize protection around the company’s greatest assets.

As with any form of risk management, it’s a game of prioritization. You can’t protect everything equally, and it’s the board’s job to ensure management has concentrated the strongest cybersecurity protections around the company’s most valuable assets. Every board should start with an inventory of the company’s digital assets and third-party relationships. Guiding the board should be the question: “What’s the worst thing this company could lose?” Knowing what data and relationships exist is an indisputable first step. The board can’t protect what it doesn’t know about.

Mandiant's M-Trends 2018 on cyber trends

Conduct an external analysis and leverage existing industry data.

Even though every company has a different set of risks and threat actors, understanding industry trends can shed light on where cybersecurity time and budget may be best allocated. For example, the majority of cyberattacks in the U.S. hospitality industry can be traced back to external actors targeting customer payment information. Compare that to hospitals and healthcare organizations, where breaches are more likely to originate internally from human error. Knowledge is power when it come to understanding the company’s most likely cyber adversaries and their motivations.


Don’t overlook the human factor.

The “human factor” is all too often overlooked in board discussions of cyber risk. Consider the fact that 91% percent of successful hacks originate from phishing emails (i.e., fraudulent emails designed to extract valuable information from employees). Today’s boards should press management to explain what is the company doing to teach employees about the most common cyber risks and how to report them. Although difficult to measure, a cyber awareness training program is often one of the most impactful things the board and management team can implement on the road to cyber resilience.

Everyone is a source of cyber risk. Public failures become personal. Personal failures become public. Even seemingly small lapses in judgment or policy oversight can have dire consequences.

— RSA, "Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise"

Section Resources:

2018 Data Breach Investigations Report by Industry

In this report, Verizon paints a picture of the cyber threat landscape including data by industry. Which industry experiences the highest number of cyber incidents? What can you learn about your organization's most likely threats?

The Elements of an Effective Cyber Awareness Training Program

As more organizations recognize the role of employee error in cyberattacks, spending on cyber awareness training programs is expected to hit $10 billion by 2027. We outline the elements of an effective employee training program.

M-Trends 2018: Global Data on Cyberattacks

Mandiant, a FireEye company, looks at global trends in cybersecurity. Specifically, this report examines cyber breach data by industry, internal vs. external threats, and global dwell times (i.e., the time it takes for a company to discover an attacker on the network).

NIST Cybersecurity Framework


PwC's 2018 Global State of Information Security

Providing a flexible roadmap and a common language.

In 2014, the Department of Commerce’s National Institute of Standards Technology (NIST) published a voluntary framework to help organizations better understand, communicate, and manage their cyber risks. The NIST Cybersecurity Framework is a product of public-private collaboration and the most widely used cybersecurity framework. No matter how advanced a company’s current cybersecurity protections are, the NIST framework provides a roadmap, as well as a common language for discussing cyber risk throughout the organization and third-party networks.

NIST cybersecurity framework

Leveraging framework components to reach a better cybersecurity posture.

The “Framework Core” entails five functions: (1) identifying the assets, systems, and people that comprise the organization’s cyber risk profile, (2) prioritizing safeguards to protect the company’s most valuable assets, (3) implementing the appropriate systems to detect the most harmful/likely threats, (4) outlining a timely response plan that considers all stakeholders, and (5) detailing actions necessary to recover and restore protections following a breach.


Section Resources:

The Official NIST Framework: Version 1.1 (April 2018)

In the latest version of the framework, NIST reviews the changes implemented as of April 2018. This comprehensive document guides boards through the three main components: Framework Core, Implementation Tiers, and Profile.

A Brief History & Overview of the NIST Cybersecurity Framework

This blog provides additional context around the development of the NIST framework, including a summary of its main components.

What Role Does NIST Play in Corporate Governance?

NIST is an old agency with a new mission. This blog touches on the history of NIST and explains how the framework can help bridge the gap between boards and IT departments.

Governance & Composition


Who on the board owns cyber risk?

Is the audit committee the right owner?

Over the last several years, the audit committee has been the most popular place for boards to assign ownership (PwC’s Annual Corporate Directors Survey). However, as the cyber risk environment grows more complex–and as cyber risk becomes increasingly central to discussions of strategy and value creation–it’s debated whether a better owner may be the full board, a dedicated risk/technology committee, or a hybrid of the two. Governance experts also worry that audit committee agendas are already too packed to “tack on” another risk as important as cyber.

What’s the best structure for our board?

Oversight structures will necessarily vary by board and depend on several factors: nature of company assets, industry, risk tolerance, cyber threat history, existing committee structure, current director skill sets, etc. Among the questions boards should be asking: Is our full board capable of taking the deep dives necessary to oversee cyber risk throughout the organization? Does our board have the skill sets to effectively manage cyber risk within a dedicated committee? If so, what’s the process for reporting back to the full board?

Should we recruit a cyber expert to the board?

Less than one-fifth of directors say they are satisfied with the current levels of IT or cybersecurity expertise on their board. Yet many boards debate whether recruiting directors with cyber expertise is actually the best strategy for board oversight—especially since these candidates typically lack broader operational experience. Many boards are taking a chance on these first-time directors, while others are electing different methods for incorporating cyber expertise.


cybersecurity expertise

What conversations does our board want to be having around cybersecurity?

Not all cybersecurity experience is the same. Even after a board decides it needs a cyber expert, there are many layers to peel back, says Spencer Stuart’s Jason Baumgarten: “What conversations does your board want to be having around cybersecurity that you feel unable to do with your current board expertise?” By asking this simple, powerful question, says Baumgarten, boards begin to evaluate their needs through a different lens.

In our blog titled, Should We Recruit a Cybersecurity Expert to the Board?, Baumgarten outlines the types of introspective questions that should precede any board search: How much time are we going to be spending on cyber risk in the boardroom? Given our business model, are we more concerned about third-party risk or about the ethical and regulatory aspects of data management? Do we need an enterprise CISO or someone who’s lived through a specific episode or disruption? Are we better off creating an advisory board vs. recruiting a full-time director? Thinking through these questions beforehand will always result in a better long-term fit.


…people are recognizing that having a CISO on the board is not necessarily a clear path to shifting the discussion around cybersecurity…A lot of the cyber challenges that today’s companies are facing are not just the traditional cyber issues–rather, they’re regulatory, they’re business-model driven, and they involve broader ethical questions around how to interact with data and machine learning.

— Jason Baumgarten, Partner, Spencer Stuart

Resources

Implementing Board Oversight of Cybersecurity (Advice for Boards Just Starting Out)

This resources from Temple University's Fox School of Business overviews the various methods for structuring cyber risk oversight. It focuses specifically on the board's relationship with management and provides checklists following each section.

How Your Board Can Be Effective in Overseeing Cyber Risk

This cybersecurity resource from PwC's Governance Insights Center weaves in statistics from the Annual Corporate Directors Survey. What should be on the board's cyber risk dashboard?

A Strategic Cyber-Roadmap for the Board

This article from The Conference Board Governance Center takes a unique case study approach to examining cyber risk governance. Five board members are interviewed yielding insights on forming a dedicated technology committee, management reporting, third-party penetration testing, and more.

Elements of a Cyber Breach Response Plan


Why it's so important to be prepared...

The loss of proprietary data or sensitive customer information would be debilitating for any company. However, it’s the damage to an organization’s brand, reputation, or consumer trust that can have the greater long-term negative effects. The good news? Despite the unpredictability of cyber threats, boards have the ability to significantly influence/impact oversight and how the company responds. An effective crisis response plan always starts with advanced preparation.

Be aware of any regulations or disclosure requirements.

Before drafting a cyber breach response plan, the board and management team must be aware of any cybersecurity regulations or disclosure requirements that apply to their company; these will often vary by industry and geography. For example, organizations in the U.S. healthcare industry would be required to abide by the HIPAA Breach Notification Rule, while any company that processes or controls the data of EU citizens would be subject to the General Data Protection Regulation (GDPR). Enacted on May 25, 2018, GDPR is not only impacting company operations around the world, but it’s expected to set a global precedent for data privacy in the months ahead. Board members would be wise to read up.

cyber breach response plan

Outline a plan for notification and communication.

Central to any cyber breach response strategy should be a detailed escalation plan for who gets notified and when. Outlined in PwC’s Risk Oversight Series, the plan should answer questions such as: When will the board be notified? What is the company’s plan to inform regulators? How and when will other stakeholders—including individuals whose personal information may have been lost—be informed? Who’s responsible for taking action at each stage of the process?

ransomeware attacks on companies

Line up any external partners or resources before a crisis hits.

The hours following a data breach is not the time to be interviewing new legal firms or PR agencies. The board and management team should arrange any external relationships ahead of time as part of the broader crisis response plan. In our blog titled, Before the Breach: 4 Board Lessons in Cyber Breach Preparation, Betsy Atkins outlines various third-party relationships to consider including legal firms, PR and IR agencies, forensic consultants, contacts within law enforcement, etc. The crisis plan should indicate: (a) when these partners get notified and (b) what their responsibilities are.


Section Resources:

Cyber Risk Management: Response and Recovery

How does cyber insurance fit into the organization’s total risk management process? This paper from Women Corporate Directors outlines the questions that boards should be asking management, along with an overview of the current cyber insurance landscape.

Before the Breach: 4 Board Lessons in Cyber Breach Preparation

From establishing external relationships to outlining a ransomware policy, there are several steps boards should be taking now to ensure they're prepared for the worst.

Data Protection Act: What to Know About GDPR

What is the General Data Protection Regulation (GDPR)? How will it impact companies outside of the European Union? How can boards ensure their company is compliant?

Disclosure & Liability


How should boards approach cybersecurity disclosure?

As we emphasized in the section above, boards must be aware of any data privacy regulations or disclosure requirements for each country and industry in which the company operates. The European Union’s recent General Data Protection Regulation (GDPR) is expected to eventually influence U.S. regulations; however, for now, the U.S. cybersecurity disclosure landscape is still nascent, evolving, and largely voluntary.

The SEC recently updated its February 2018 interpretive guidance, which outlines its expectations around cybersecurity disclosure. The SEC encourages companies to disclose all material cyber risks and network incidents to shareholders, whether they’ve been the target of a cyberattack or not. In this episode highlight, SEC Commissioner Robert Jackson Jr. describes the dire implications facing American citizens should U.S. companies and regulators fail to take a stronger stance against cyber crime. Additional insight can be found in our recent blog titled, A Snapshot of the U.S. Cybersecurity Disclosure Landscape, where Donnelley Financial Solutions’ Ron Schneider outlines cyber disclosure trends stemming from the latest proxy season.

What should boards know about liability related to cyber risk?

Boards have a duty to oversee risk across the organization–a duty that stems from their basic fiduciary duties of care and loyalty. In this episode highlight, William Chandler, Former Chancellor of the Delaware Court of Chancery, outlines a board member’s oversight duties related specifically to cyber risk.

In the case of a cyber breach, Chandler explained, a judge will determine the board’s liability based on the following logic: (1) Did the board have a system in place for monitoring cyber risks throughout the company? (2) Following its own system, did the board address any red flags in a timely manner?

Thus, not only should today’s boards have a process for overseeing cyber risk, but that process should be well documented. In our blog titled, Cyber Risk Oversight: Understanding Board Liability, the Wilson Sonsini Goodrich & Rosati team shares actionable steps board members can take to mitigate liability.

I use this old metaphysical story: If a tree falls in the forest, and there’s no one there to hear it, does it make a noise? The corporate law analog to that is: if a board follows an exemplary process but has no record of it, will the judge still respect what the directors did? You don’t want to find out the answer to that.

— William Chandler, Partner, Wilson Sonsini Goodrich & Rosati

A Snapshot of the U.S. Cybersecurity Disclosure Landscape

How should U.S. companies be approaching cybersecurity disclosure? We review current SEC guidance and outline cyber disclosure trends stemming from the latest proxy season.

Cyber Risk Oversight: Understanding Board Liability

What should boards know about their duties and liability related to cyber risk—particularly in the wake of a data breach? We review board oversight responsibilities and emphasize the areas where boards should be devoting the most time.

The Tangled Web of Cybersecurity Disclosure Requirements: A Practical Guide

This Harvard Law resources provides a more technical overview of the current U.S. disclosure landscape including SEC guidance, U.S. state and federal notification laws, MAR and GDPR disclosure requirements.

Common Mistakes in Board Communication


dangers of using personal email

1. Using personal email and devices

Too often, we find that board members don’t associate their own communication practices with the company’s cybersecurity posture. This can be a dire mistake, given that board members and C-Suite executives often possess the most sensitive company information, making them the most attractive targets for hackers and other cybercriminals. Several recent exposés have revealed the dangers of personal email. Even if the nature of those conversations are seemingly incidental, personal email–like any other unencrypted or ill-encrypted, digital gateway–can be used as a point of entry into a board member’s personal devices.

secure board communication

2. Overlooking the implications and liability risk

When directors use personal channels for board communication, they seldom think about the implications should the company ever come under litigation. The Delaware Courts have held that any electronically stored materials relating to the business become the property of the company and are therefore “discoverable”. Thus, even if directors are using personal email, computers, or text messaging for incidental board matters, it could all be subject to e-discovery. Today’s corporate secretaries must set the tone for responsible communication practices and ensure their directors understand the dangers of communicating outside of a secure board portal environment.


Section Resources

Secure Communications: How Does Your Board Stack Up?

In this joint research project, the New York Stock Exchange and Diligent surveyed nearly 400 directors to understand how they communicate with other members of the board. Which practices are the most common? Which ones pose the greatest risk?

Conversations Your Board Should Be Having About Data Use

As companies like Facebook and Google come under fire for data misuse, we discuss various implications for today’s board members and corporate secretaries.

Why/How to Get Your Board to Adopt a Secure Messaging App

In this blog, we review all the ways that email communication can put the board at risk. What guidelines should boards follow for safer, smarter communication?

Additional Cyber Risk Resources


FORGE Interactive Playbook on Cyber Governance

Powered by NYSE Governance Services, this interactive cyber risk playbook is one of the best resources we've come across. This group of executives, directors and industry influencers presents a set of cyber risk guidelines based on real-word case studies.

Highlights: Cyber Risk Guidance for Boards

In this special "highlights" video, we revisit past episodes to extract our best advice for boards on cyber risk–from structuring oversight to understanding liability risk.

How Your Board Can Be Effective in Overseeing Cyber Risk

This resource from PwC's Governance Insights Center outlines common obstacles boards face when overseeing cyber risk—from building dashboards to recruiting cybersecurity expertise.

Cybersecurity: Why Some Boards Are Forming Dedicated Committees

Kathy Misunas, a board member with Tech Data Corp. and Boingo Wireless Inc., explains why her board(s) decided to form a Cyber Risk Committee. What was the catalyst? How did the committee evolve over time?

Download: NACD Director's Handbook on Cyber-Risk Oversight

The NACD's Cyber Risk Handbook outlines five core principles that boards should follow to enhance their oversight of cyber risk across the organization. This resource is free to download for NACD members.

4 Mistakes Boards Are Making When Overseeing Cyber Risk

On the heels of last year's Next Gen Board Leaders Mini-Summit, we share key takeaways from the closed-door discussions. What mistakes are some boards still making when it comes to cyber risk oversight?

Cybersecurity Risk Management Oversight: A Tool for Board Members

This tool from the Center for Audit Quality outlines a roadmap of questions for boards to be asking senior management and their CPA firm.

What Boards Need to Know About Cyber Risk Insurance

Christian Hoffman explains what a cyber risk insurance policy typically covers. What questions should boards be asking management about their company's need for cyber insurance?

Cyber Risk Forum: Former Secretary Of Homeland Security Michael Chertoff

In this two-part series by Corporate Board Member, Michael Chertoff, Former Secretary of the U.S. Department of Homeland Security, discusses what boards are often missing with regard to cybersecurity.