What Boards Need to Govern Cyber Risk: A Conversation with Ralph Hasson

Background

Headlines continually highlight the latest disclosures of personal information and proprietary data caused by yet another cyber breach. Large breaches are followed by shareholder lawsuits or regulatory actions with ominous phrases:

• “The complaint[s] allege breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control…”
• “…knowingly and in conscious disregard of their duties failing to ensure that [the company] took reasonable measures to protect its customers’ personal and financial information.”
• “The company didn’t create and maintain a comprehensive information security program to protect customers’ personal data.”

Board members know that they are being held accountable for overseeing cyber risk. For the past several years, cybersecurity has shown up as their #1 or #2 issue in multiple surveys. In late 2015, the New York Stock Exchange polled 276 public directors and found that 60% expect an increase in shareholder suits, and 72% expect cybersecurity regulation.

Conversation

We asked Ralph what boards want to know in relation to cyber risk management, and what they need to know in order to provide effective oversight.  Based on that conversation, we distilled a five-point wish list:

1. Ralph: “Boards are being held accountable for oversight of cyber risk management, and they know it. They want to know that the organization has an effective, comprehensive approach in place for managing cyber risk.”

   Our Take: Hearing piecemeal compilations of statistics about intrusions, for example, is not what they want to hear. Better is a report about a well-conceived plan for mitigating cyber risk and ongoing status updates.

2. Ralph: “They want to know that the organization’s approach is based on nationally recognized, best practice standards.”

   Our take: Expressing the cyber maturity of the company vis-à-vis standards developed by leading industry experts (e.g., the NIST Cybersecurity Infrastructure Framework) assures directors that the picture they are shown is accurate.

3. Ralph: “They want to see reporting in terms and in a format that they can comprehend.”

   Our take: One board member friend described a common scenario: the chief security officer presents the state of cybersecurity with lots of complicated statistics, the directors’ eyes glaze over, and they move on to the next agenda item. Directors want to be able to understand cyber risk in the context of, and in the same way as, other business risks.

4. Ralph: “They want an approach to and a format for reporting that allows them to dive deeper and ask questions as needed.”

   Our take: Board members are used to probing what they’re shown in hopes of exposing risks early and brainstorming approaches for improvement, based upon their experience and expertise. They can’t do that by viewing rows of statistics rather than a clear depiction of progress made and highlighting of obstacles to it.

5. Ralph: “They want a cyber risk management program and an approach to reporting that allows them to hold management accountable.”

   Our take: Implementing a comprehensive approach to cyber risk management involves planning, execution, monitoring, and reporting. Directors prefer to receive clear status updates that are visually appealing and understandable. To accomplish their fiduciary duty of holding management accountable for how it leads the organization, they must have clarity.

For public and private companies, cyber risk has become a significant risk to shareholder value. To fulfill their oversight responsibilities, directors need management to place a high priority on cyber risk mitigation and to take a deliberate approach to assessing, monitoring, and reporting on the organization’s cyber breach readiness.