In the face of growing cyber threats, boards play a critical role in effective cybersecurity governance. The SEC’s new cybersecurity disclosure regulation puts even greater emphasis on the board’s duty to oversee how management addresses cyber risk and compliance obligations. It’s more important than ever for directors to understand the threat landscape, identify knowledge gaps, nurture a cyber-aware culture and evolve their governance practices. By taking a proactive approach to cybersecurity governance, Amy Rojik says, boards can help management protect the organization and meet compliance needs.
By some estimates, a cyberattack occurs every five seconds. The average cost of a data breach was recently calculated to be $4.5 million, a 15% increase since 2020, and the U.S. has the highest average cost for a breach at $9.5 million. Amid the growing sophistication, frequency and cost of cyberattacks, a proactive board has become essential to more reliable and effective cyber governance.
Investors increasingly acknowledge the material impact that cyber threats and breaches have on operational and financial sustainability. The SEC’s newly updated cybersecurity disclosure regulation, which mandates more immediate and detailed cybersecurity risk management and material incident reporting by public companies, reflects shareholders’ attention to growing technology-related risks and the need for more detailed and more timely information to inform investment decisions.
The SEC rule also underscores the board’s fiduciary duty to oversee management’s cyber risk assessment and management program to help prevent, detect and mitigate cyber threats while meeting all compliance obligations. The final SEC rule did not require boards to disclose their own cyber expertise, as originally proposed, but to succeed in an increasingly hostile cyber environment, companies need directors with a strong, current knowledge of the cybersecurity threat landscape.
Understand the threat
The entire board must understand management’s readiness to defend the company from cyber breaches and meet new incident reporting requirements. Directors with a strategic and tactical view of the enterprise are better equipped to recognize and assess cyber risks and support management in developing prevention, detection and mitigation protocols. At a minimum, boards should substantiate management efforts to:
- Implement and enforce enterprise-wide cybersecurity policies and procedures.
- Ensure that adequate resources are being provided to mitigate cybersecurity risk.
- Establish internal controls over data.
- Timely assess material cyber breaches when they occur.
But that is not at all. With shareholder engagement at the heart of its duty, only a cyber-savvy board will be able to communicate regularly and thoroughly with management regarding the status of cybersecurity risks, incidents, detection, and prevention measures. Additionally, the board and leadership team will need to communicate promptly with shareholders, regulators and the public. Disclosure remains the vehicle through which these stakeholders are informed about several critical areas: the company’s processes for addressing, identifying and managing material cyber risks; management’s role and expertise in assessing and managing them; how the company responds to the occurrence of cyber incidents; and the board’s oversight of all these activities.
Identify knowledge gaps
As with any significant risk, the board needs to evaluate whether it has the requisite skills that can enable directors to carry out their duties. Naturally, not every board will organically possess cyber expertise. Identifying knowledge and experiential gaps — and proactively addressing them — may take different forms. Ultimately, though, the full board should strive to become and remain knowledgeable about current cyber threats and align its understanding of what good cybersecurity governance should look like. Every board should consider what the appropriate knowledge and experience level should be within the board relative to the organization’s unique cyber threat landscape. Directors should also evaluate whether the board has access to adequate cybersecurity expertise within the management team and through other resources.
There are many customizable strategies available to boards that can help shore up knowledge gaps. Depending on the degree of cyber risk a company may face, some boards may consider simply assessing whether they need to enhance director skill sets, ensuring that at least one director possesses cybersecurity expertise and ensuring that board agendas allocate time to discuss cyber risk readiness. Boards may consider having a director with recent cyber-specific expertise, such as having served as a chief information security officer (CISO) or other relevant IT security role. For others, clearly defined and assigned roles for cybersecurity governance — whether full board, committee or subcommittee — may help boards improve oversight processes. Those purviews should be outlined in board and/or committee charters.
Boards of enterprises that face heightened cyber risks may even consider establishing a cybersecurity committee or subgroup to monitor the company’s strategies and the potential operational, financial and reputational impact of a cyber incident. Third-party management-level cyber experts, advisers and participation in cyber certification programs can also keep the board informed on cyber developments and guide management as it establishes robust protocols, controls and processes.
Nurture a cyber-aware organizational culture
For some organizations, cybersecurity may be best tackled from the inside out. Boards may first consider monitoring how management stress tests the organization’s cyber incident preparedness and response plans in protecting cyber assets. Therein, boards may request that management develop and frequently update a fulsome cyber breach response plan, particularly one that involves the board, general and external counsel, authorities and others as applicable.
Additionally, boards should request periodic management progress reporting on identified areas of cyber asset susceptibility. Finally, particularly given that an estimated 95% of cybersecurity issues can be traced to human error, boards would be wise to create a culture of cyber awareness among employees and provide continuous enterprise-wide learning about cyber risk as a core preventive measure.
Evolve governance practices
The landscape of cyber risk and compliance is evolving, and the standard of good corporate governance needs to evolve with it. Helping management address the cyber threat du jour requires the board’s proactive attention. Directors who set the proper tone and arm themselves with necessary information, tools, and other available resources can be instrumental in facilitating a safer and more cyber-secure environment for businesses to grow and thrive and safeguard the investments of stakeholders.