Certainly, Board directors are under a lot of pressure these days in all market sectors. Most directors understand that it’s only a matter of time before their organization suffers a cyber incident and breach, and all constituents focus will be on the directors themselves to see if they were properly exercising their risk oversight.
Directors also know that all communications with the CIO and CISO be subject to scrutiny in the aftermath of a security incident. But with the right mix of security education and assistance from experts, directors and executives can better understand cyber risk awareness and achieve compliance with a growing number of privacy and risk regulations.
Increasing Regulatory Pressures
Boards are worried about both lawsuits from shareholders and fines from regulators. Many regulatory agencies, such as the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) have communicated strongly to all markets and followed up with enforcements against entities that failed to take appropriate actions to safeguard data.
Educating Executives on Core Principles of Cyber Risk
While the topic of cybersecurity isn’t exactly a required course for MBA programs and executive leadership programs, directors have been receiving continuous and actionable advice on cyber security issues. This comes both from regulators, staff and organizations charged with training board directors, such as the National Association of Corporate Directors (NACD).
Strong Cyber Security Policy
Cybersecurity should be part of the enterprise-wide risk management program.
Boards should have access to cybersecurity resources, expertise and regularly review issues and compliance.
Boards should ensure that organizational leadership has provided appropriate direction and support for data security resources and oversite.
Directors and senior leadership should determine which risks to avoid, accept, alleviate, etc.
Boards should understand all of their legal ramifications of cyber risks.
A growing number of companies are beginning to mention cyber issues as part of their quarterly or yearly disclosures. Some of these updates provide a clearer sense of what boards and top leaders are doing about cybersecurity.
For example, one company’s SEC filing clearly stated that it had conducted cyber risk governance training “to equip board members with examples of questions to ask to challenge management and make sure that the controls in place align with the company’s risk appetite and culture.” It added that the company would “continue to monitor the performance and level of risk” regularly throughout the next year.
The question is will Cyber Risk Governance Training is become the new norm?
Boosting Security Awareness Among Board Members
The idea that Board directors challenging senior leadership assertions isn’t a new concept, and it applies to all other areas of board members’ responsibilities including Cyber Security. For example, a cyber risk guidance report from U.K.-based governance institute ICSA highlighted cyber risk from other risk types due to “the rapid evolution of technology and the resulting fundamental changes in the way business is conducted.” The report also mentioned the need for boards to “consider taking wider advice” in an effort to fully comprehend the cybersecurity challenges they face.
Another great example of the many cyber risks facing board directors today comes from a report by the Deloitte EMEA Centre for Regulatory Strategy, which predicted that, because of increased cyber risk regulations and frameworks, “boards will be asked to demonstrate they have access to sufficient cyber and IT expertise to allow them to challenge management in this area.”
Board directors for the most part appear to be cognizant that it’s no longer enough to simply receive quarterly cybersecurity updates, but need to be more engaged and aware when it comes to cybersecurity and cyber risks.