Increasing Board Engagement with Cyber Risk

Last week in our nation’s capital we met with several key players who are working to get a better handle on cyber risk. The need for board engagement in cybersecurity is universally understood, but simplifying it will require cooperation from all sectors. These sectors include standards organizations, industry associations, regulatory agencies, and Congress.

The rising frequency and impact of cyber breaches has elevated the responsibility for cyber risk mitigation to the highest levels of organizations. Reputation damage, shareholder lawsuits, and regulatory actions are significant threats to valuation. Boardroom engagement in cybersecurity is mandatory.

Corporate directors can play a key role in strengthening a company’s cybersecurity posture. When the board is concerned with enhancing cybersecurity maturity, and key stakeholders understand that their actions are regularly reviewed at board meetings, improvements will occur.  As business guru Peter Drucker said, “What gets measured gets managed.”

When directors actively participate in managing cyber risk, they rely on an ecosystem that provides the tools they need. Key elements in cyber risk mitigation include:

• Standards organizations. The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity authored what is widely considered to be the gold standard for cyber maturity assessment. The Department of Energy’s C2M2 framework adds depth and clarity to the NIST Framework without becoming overly prescriptive. Clearly, business-oriented standards arm a non-technical director with the understanding needed to oversee cyber risk.
• Compliance consortia. Industry-specific groups have incorporated requirements for cybersecurity that put a finer point on what’s needed: HIPAA in healthcare, PCI in the credit card industry, FINRA for the financial services industry, FERPA for educational organizations, and so on. Adding compliance to the cybersecurity requirements underpinning these guidelines is critical for companies in many industries.
• Associations of directors. Associations with large numbers of directors (e.g.. the National Association of Corporate Directors with 17,000+ members) exist to provide members with the latest information on governance issues of all types. They play a special role at this point in history by educating their members about how to manage a highly technical area requiring board oversight. NACD even provides free guidance to help directors address this critical topic.
• Insurers. The cyber insurance market is projected to grow from the current $2 billion in premiums to $20 billion by 2025. Lloyd’s suggested in 2013 that it will eventually grow to $85 billion. While insurers want to participate in such a lucrative opportunity, the relatively sparse cyber breach data currently constrains underwriters. Companies we have spoken with are grappling with how to solve the actuarial challenges so they can price cyber products appropriately and help boards mitigate cyber risk.
• Regulatory agencies. Federal and state regulatory agencies are driving companies to improve their cyber risk readiness. The Federal Trade Commission (FTC) has pursued aggressive sanctions against companies negligent in protecting customer data, e.g., the recent $113,000,000 penalty paid by LifeLock. Motivated by their concern for the potential negative impact of cyber breaches on the country’s economy, the Securities and Exchange Commission (SEC) has been vocal in urging directors to play an active role in oversight. At the state level, the National Association of Insurance Commissioners (NAIC) now requires annual reporting on the status of insurers over a certain size, and they recently proposed a Cybersecurity Model Law for the insurance industry.
• Congress. And let’s not forget the federal government. There’s a growing recognition that cybergovernance is tracking the same path as financial governance and reporting. Following Enron and other scandals around the last turn of the century, this issue came to light and ultimately resulted in the passage of the Sarbanes Oxley bill (SOX) in 2002. With almost daily revelations of cyber breaches, multiple bills have been proposed to encourage organizations to intensify their prevention efforts, and the cyber equivalent of SOX may be imminent.

What steps can be taken to increase the board’s engagement in cyber risk oversight?

1. Standards. Finding ways to integrate and automate the best standards without diminishing them requires more effective collaboration between directors, the C suite, and security professionals like the CISO. Cooperation between standards-bodies is helping, e.g. NIST’s recently introduced HIPAA Security Rule Crosswalk.
2. Education. Boards must become conversant about key standards like the NIST Framework. Organizations like NACD should continue to expand their efforts to elevate the knowledge of directors on all the relevant standards.
3. Enforcement. Without any enforcement, competing business pressures can distract organizations from making the changes needed to enhance their security posture. A 2015 ruling by the Third Circuit Court of Appeals supported the FTC’s right to hold companies responsible for breaches. To paraphrase Dr. Drucker, “what gets penalized gets acted upon.”