The past year has seen a remarkable increase in the number of cyberattacks on corporations, forcing boards to reevaluate their cybersecurity defense and response preparedness. More and more companies are facing legal and reputational risks, as cyber presents relatively new challenges that some boards do not have the expertise to approach. Companies are realizing how vulnerable they are now that nearly every aspect of business is conducted through online channels.
The challenge of protecting the data is getting more complicated: cyber risk for corporations is growing as more work from home, mobility and applications expand and proliferation of Internet of Things increase. The attack surface is getting larger. Cyber attackers are getting more aggressive. IT is ubiquitous and powers nearly every aspect of a modern business, but cybersecurity isn’t just an IT department issue anymore. Cybersecurity is an enterprise-wide risk management issue that officers and directors have responsibility over.
Moreover, cybercrime is becoming more industrialized, leading to a massive increase in the volume of attacks and their sophistication. From an investor perspective, it is becoming more apparent which companies have been thinking about cybersecurity systematically, and who will be forced to improvise should an attack occur. This has led to an increase in pressure from stakeholders for boards to act thoughtfully and proactively in response to the growing cyber security threat.
Mounting pressure from inside and outside companies has heightened the need for new directors with cybersecurity expertise. In a survey conducted by EY in 2020, 60% of Fortune 100 companies included cybersecurity as an area of expertise they are looking for in new board members. Even though investors are calling for the addition of new directors with expertise in this area, all board members ought to have a thorough understanding of their company’s security profile and potential risks. A survey by the National Association of Corporate Directors (NACD) showed most directors believe they ought to improve their oversight of security threats, and as a result are turning to cyber training and certification programs, as well as external cyber consultants.
Cyber literacy is not only about directors gaining competency in the language of security, but also about Chief Information Security Officers being able to communicate effectively at the board level. Clear and simple explanations on risk should take precedence over a complex explanation laced with technical jargon. Through the joint efforts of board directors and CIOs, decision makers can wield the competency needed to accurately assess cybersecurity risk and create effective strategy.
Failure to create these channels of communication, build cyber literacy and implement cyber risk oversight could result in companies and boards facing reputational harm or legal liability. It is not uncommon for directors to be sued in post-attack lawsuits, so directors must demonstrate that they have the information and understanding to exercise proper judgement surrounding these topics. Moreover, the SEC in 2018 recommended that companies should disclose cybersecurity risks if those risks are material to a company’s business. It is not unreasonable to expect further guidance on disclosure of cybersecurity risk in the aftermath of recent attacks.
Management is accountable to the board of directors. When the board focuses in its oversight role on cybersecurity risk, it sets the tone and culture for the company toward managing that risk. The board’s responsibility is to make sure the executive team has a plan in the event of an incident. Boards should ask themselves whether they are capable of mitigating an attack and returning back to normal as quickly as possible. What’s more, cyberattacks tend to exacerbate tensions that already exist within an organization, especially if that organization has no clear leader in the event of a crisis. Boards should develop a sense of urgency about this issue within the executive team and management and work together to identify their critical assets and develop crisis management procedures. This process could even involve formation of a cyber risk committee. Making cybersecurity a joint capability within the company will help to make the whole organization more resilient should an incident occur.
John Zangardi, PhD
President, Redhorse Corporation
And former CIO Homeland Security and the Department of Defense