Boards are now paying attention to the need to participate in cybersecurity oversight. Not only are the consequences sparking concern, but the new regulations are upping the ante and changing the game.
Boards have a particularly important role to ensure appropriate management of cyber risk as part of their fiduciary and oversight role. As cyber threats increase and companies worldwide bolster their cybersecurity budgets, the regulatory community, including the SEC, is advancing new requirements companies will need to know about as they reinforce their cyber strategy.
Most organizations we’ve studied focus on cyber protection rather than cyber resilience, and we believe that is a mistake. Resiliency is more than just protection; it’s a plan for recovery and business continuation. Being resilient means that you’ve done as much as you can to protect and detect a cyber incident, and you’ve also done as much as you can to make sure you can continue to operate when an incident occurs. A company who invests only in protection is not managing the risk associated with getting up and running again in the event of a cyber incident.
Our research indicates that most board members believe it’s not a matter of if, but when their company will experience a cyber event. The ultimate goal of a cyber-resilient organization would be zero disruption from a cyber breach. That makes the focus on resilience more important.
New SEC Regulations Will Change the Board’s Role
In March 2022, the SEC issued a proposed rule titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. In it, the SEC describes its intention to require public companies to disclose whether their boards have members with cybersecurity expertise: “Cybersecurity is already among the top priorities of many boards of directors and cybersecurity incidents and other risks are considered one of the largest threats to companies. Accordingly, investors may find disclosure of whether any board members have cybersecurity expertise to be important as they consider their investment in the registrant as well as their votes on the election of directors of the registrant.”
The SEC will soon require companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies. Specifically, where pertinent to board oversight, registrants will be required to disclose:
- whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks,
- the processes by which the board is informed about cyber risks, and the frequency of its discussions on this topic,
- whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.
The good news is that boards are making progress in this area. Recent research we conducted with research partner Proofpoint showed that almost two thirds of board members believe the organization is at risk of a material cyber attack. Almost three quarters of respondents felt the investment their organization has made in cybersecurity is adequate, and about the same amount feel cybersecurity is a top priority. Seventy-six percent reported that cybersecurity matters are discussed at every board meeting, or more often than that.
However, our research also uncovered attitudes and beliefs that must change. Only 23% of board members think the risk of an attack on their organization is very likely. About 47% believe their organization is unprepared for a cyber attack, begging the question “what are they doing about this?” And about one third of board members say they interact with the CISO only when he/she is presenting to the board. There is clearly room for improvement in aligning board members with the organizations cybersecurity priorities.
Board Member Cybersecurity Attitude Adjustment
To provide proper oversight and comply with the regulatory environment, board members are going to have to up their cybersecurity game. It’s no longer adequate to just hear about the protections put in place, or the results of the latest phishing exercise. Board members must take the position that cyber attacks are likely, and exercise their oversight role to ensure that executives and managers have made proper and appropriate preparations to respond and recover. After all, if we assume every organization has a likely risk of being breached or attacked, and it’s not possible to be 100% protected from every attack, the most rational approach is to make sure the organization can recover with little or no damage to operations, to the financial bottom line, and to the organization’s reputation.
Building resiliency in an organization requires proper oversight from the boardroom based on a clear plan built on business and economic analysis. Here are a few stories about how companies we studied have done this.
A financial services company CEO realized his board was not well versed in the business context or financial exposure risk from a cyber attack. He hired a third-party consulting firm to conduct a cybersecurity maturity assessment. The company CISO presented the results of the report to the enterprise risk management subcommittee, creating a productive dialogue around the business and financial impact of different investments in cybersecurity. What-ifs about investing in different levels of maturity helped the board understand the financial/risk tradeoffs and provided them with both a language and perspective necessary to perform the needed oversight of cybersecurity plans offered by the executive team.
Another organization focused their board on the alignment of their cybersecurity program and operational risk. The CISO, in collaboration with the chief risk officer, leverage financial analytics to assist with bridging the gap between the cyber exposures to operational losses. The board was able to understand the exposure of the organization from a risk perspective, resulting in optimizing their cyber insurance policy as a way to mitigate the newly understood risk.
By using the language of risk, resiliency and reputation in cybersecurity discussions with board members, operational executives are able to bridge the gaps that often occur between the technical needs seen to meet cybersecurity needs, and the oversight responsibilities executed by boards. Perhaps this was best articulated by Peter R. Gleason, the president and CEO of the National Association of Corporate Directors (NACD), when he said, “We have heard from many directors the need to understand the financial exposure resulting from cyber risk, going beyond the threat-focused, technical cyber presentations most boards receive.”
As we increasingly rely on boards to extend their fiduciary responsibilities to cybersecurity plans, operational managers must also take a role by presenting those plans in a way that align with the way boards best contribute. Meeting the new regulatory requirements can be better achieved by aligning how operational leaders discuss cybersecurity with their boards.
Increase Cybersecurity Expertise in your Boardroom
Here are some actionable insights to begin today so your board meets (or exceeds) the new SEC guidelines, and provides the right level of oversight to cybersecurity plans:
1. Develop a common language for discussing the complex issues of cyber risk and resilience.
Boards want to simplify confusing, technical discussions loaded with nuanced security terms. It’s not that these are unimportant, it’s just not as effective for the board as an economic analysis that shows how cyberattacks endanger organizations financially in the short and long term and how the organization will be back up and running, i.e. resilient. Our research shows that insurance companies are taking the lead here, as they shifting the cyber conversation from a highly technical and ambiguous security one to one where businesses can understand and effectively manage their financial exposure.
2. Keep cyber resiliency on the board’s agenda and in discussions with management.
Our research indicates that boards are hearing about cybersecurity from management but the discussions must take place more often. It’s not a “one and done” type of decision; it’s a continuously changing and moving target. The more often the board is exposed to the cyber-situation of their organization, the more comfortable and more expert they become.
3. Build wider bridges between cybersecurity executives and board members.
Board members must have access to, and relationships with, cybersecurity experts within the organization. While inviting CISOs to report to the board helps with identity, it doesn’t build strong connections between board members and security executives. Find ways to facilitate this relationship.
In our research, we have seen board members reaching out to CISOs in between board meetings to discuss cybersecurity headlines, to share personal incidents that might occur, and just to get better acquainted. That way, when there is an urgent need for the board to weigh in on a cybersecurity situation, the relationship is already in place and the discussions are more relevant and transparent. A cyber incident is not the time to build the bridge; that should occur long before the difficult conversations have to take place.
Board education to meet the SEC requirements can occur organically if both the board and operating executives just slightly tweak their approach. Thinking in terms of resiliency instead of protection, balancing the business and technical risks, discussing cybersecurity in terms of financial exposures, and increasing the frequency of discussion of the cybersecurity landscape faced by the organization, will help directors on boards prepare for and meet the SEC rules likely to come. And that will go a long way towards increasing organizational resiliency.