A Cybersecurity Guide for Directors
By R. William “Bill” Ide III and Amanda Leech, Dentons Governance Center (1)
With the ever present reality of cybersecurity breaches, there has been a tendency in board governance literature to treat cybersecurity risks differently than other risks facing the organization. In practice, however, boards have long been tasked with protecting their company from significant risks. While cybersecurity may appear to be a daunting new risk to many board members, the long-established “tried and true” board governance approach to risk oversight works well and should be applied to cybersecurity risk.
Board duties generally fall within six categories:
With respect to cybersecurity, the board’s duties in each of these categories play a critical role in effective oversight of a company’s cybersecurity program.
Every director should have a general understanding of cybersecurity risk and what it means for oversight responsibilities of directors. While the basic business-judgment obligations of directors are the same for this emerging area of risk, cybersecurity itself is a dynamic and complex subject. Effective oversight in this area can be the difference between; “learning the hard way” and incurring significant damages, or successfully mitigating the damages that frequently accompany a significant breach.
Cybersecurity Oversight: Role of the Board
For company management and boards of directors, Target, Sony and the record number of other incursions demonstrate that cybersecurity risk is as significant as other critical strategic, operational, financial and compliance risks under boards’ purview.
Since the passage of the Sarbanes–Oxley Act of 2002, the Delaware Courts have repeatedly broadened proactive duties of oversight for independent directors in areas of material impact on shareholder value such as risk, compliance and executive compensation. Just as boards are charged with overseeing a company’s financial systems and controls, they also have a duty to oversee a company’s management of cybersecurity, including oversight of appropriate risk mitigation strategies, systems, processes and controls.
Without effective oversight and accountability, an organization’s cyber security governance systems, policies and procedures can be rendered meaningless, leaving the enterprise vulnerable to attack. In today’s world of continually reported material data breaches, boards cannot claim lack of awareness as a defense to allegations of oversight failures. Regulators and shareholders are increasingly demanding more evidence of director attentiveness to cyber risk. As the Target breach demonstrated, breaches can result in calls for director removal, and even if directors are re-elected, the board and the company will likely face numerous shareholder derivative and class action lawsuits.
The first question for the board is who owns management of the cyber security risk at the board level and management level? Typically, boards delegate cybersecurity oversight to the audit committee — or to the risk committee if one is part of the board’s governance structure — for a more concentrated review, with periodic reports to the full board. Others approach cybersecurity as a matter to be overseen by the full board. Company size, industry and existing board risk management structures will dictate the best approach. For the foreseeable future, cybersecurity will require considerable attention by boards working with management, internal audit, enterprise risk management (ERM) and cybersecurity experts as the threats continue to evolve and the total enterprise seeks to adjust. Process, systems and controls must remain fluid for the foreseeable future.
At the management level, the CEO is ultimately accountable to the board for management of the cybersecurity risk. Often, a CEO looks to business information technology (IT) or, in larger organizations, a chief information security officer (CISO) to interface with the board and hold accountability for cybersecurity risk management. This approach builds from a technology knowledge platform, but the major challenge is governance of the total enterprise requiring established management skills of communications, project management, behavioral science and command presence. Technical solutions are one piece of managing the risk every function in the enterprise has a role to play and for success, the business units must own and embrace cybersecurity as a priority. Tension between a decentralized business model and cybersecurity’s desire for centralization requires high level management attention and if needed, to resolution of tension conflicts. Decentralization favors local decision making by the business but, on the other hand, cybersecurity must be centralized by its nature and at times must seek to override local business unit decisions. Accordingly, IT or if there is a CISO, the CISO should report to a senior management member who can oversee the enterprise’s cybersecurity program decision making and to whom the board can look as accountable for cybersecurity.
Cybersecurity Strategy & Risk Oversight
Too often, IT presents boards with cybersecurity reports that are technical and without an enterprise wide strategic overlay. For effective oversight, boards should hold senior management accountable to ensure that a clear and concise cybersecurity strategy, understandable in nontechnical terms, is in place, along with systems and controls to monitor its implementation. This requires regular dialogue between the board and management, and sharing of accurate and useful information, including metrics to track performance and provide accountability. Most importantly, a “plain English” concise high level cyber security strategic plan must be agreed to by the board and senior management.
For more on this topic read:
Emerging Practices in Cyber Risk Governance
Based on best practices from leading global companies and lessons from cyber-risk cases gone wrong, this report outlines a practical strategic and tactical roadmap with both architectural and substantive recommendations for effective cyber-risk governance by boards, the c-suite and functional leaders.
(1) Bill Ide and Amanda Leech are Members of the Dentons Governance Center and the Guide is based upon their working with and service on public company boards. Dentons Governance Center colleagues Joseph Blanco and Crystal Clark made substantial contributions to this Guide.
© 2015 The Conference Board Inc. All rights reserved. The Conference Board and torch logo are registered trademarks of The Conference Board.