With the ever-present reality of cybersecurity breaches, there has been a tendency in board governance literature to treat cybersecurity risks differently than other risks facing the organization. In practice, however, boards have long been tasked with protecting their companies from significant risks.
While cybersecurity may appear to many board members to be a daunting new risk, the long-established “tried and true” board governance approach to risk oversight described in this article works well and should be applied to cybersecurity risk.
Board duties generally fall within 6 categories:
With respect to cybersecurity, the board’s duties in each of these categories play a critical role in effective oversight of a company’s cybersecurity program.
Every director should have a general understanding of cybersecurity risk and what it means for directors’ oversight responsibilities. While the basic business-judgment obligations of directors are the same for this emerging area of risk, cybersecurity itself is a dynamic and complex subject. The purpose of this article is to provide a “plain English” review that helps boards of directors and senior managers carry out their cybersecurity oversight duties, including cyber strategy development and governance. Effective oversight in this area can mean the difference between “learning the hard way” and incurring significant damages, or successfully mitigating the damages that frequently accompany a significant breach.
While our article is specific to boards of directors, the fiduciary principles of oversight apply to senior management as well. Senior management also delegates and oversees, but at a more granular level than boards. In the end, senior managers should also follow the principles of this guide to establish proper oversight, ensure that sufficient processes and controls are in place and assure their boards that cyber risks are identified and managed well.
Cybersecurity oversight: The role of the board
For company management and boards of directors, a record number of recent incursions demonstrate that cybersecurity risk is as significant as other critical strategic, operational, financial and compliance risks under boards’ purviews.
Just as boards are charged with overseeing a company’s financial systems and controls, they also have a duty to oversee a company’s management of cybersecurity, including oversight of appropriate risk mitigation strategies, systems, processes and controls.
Without effective oversight and accountability, an organization’s cybersecurity governancesystems, policies and procedures can be rendered meaningless, leaving the enterprise vulnerable
to attack. In today’s world of continually reported material data breaches, boards cannot claim lack of awareness as a defense against allegations of oversight failures. Regulators and shareholders are increasingly demanding more evidence of director attentiveness to cyber risk. Several cases have demonstrated, breaches can result in calls for director removal. Even if directors are re-elected, the board and the company will likely face numerous shareholder derivative and class action lawsuits.
1. CYBERSECURITY GOVERNANCE
The first question for the board is: Who owns management of the cybersecurity risk at the board level and management level? Typically, boards delegate cybersecurity oversight to the audit committee—or to the risk committee if one is part of the board’s governance structure—for a more concentrated review, with periodic reports to the full board. Others approach cybersecurity as a matter to be overseen by the full board. Company size, industry and existing board risk management structures will dictate the best approach. For the foreseeable future, cybersecurity will require considerable attention by boards working with management, internal audit, enterprise risk management (ERM) and cybersecurity experts as the threats continue to evolve and the total enterprise seeks to adjust. Processes, systems and controls must remain fluid for the foreseeable future.
At the management level, the CEO is ultimately accountable to the board for management of cybersecurity risk. Often, a CEO looks to business information technology (IT) or, in larger organizations, a Data Protection Officer (DPO) - as to the EU GDPR guidelines - to interface with the board and hold accountability for cybersecurity risk management. This approach builds from a technology knowledge platform, but the major challenge is governance of the total enterprise requiring established management skills of communications, project management, behavioral science and command presence.
Technical solutions are one piece of managing the risk, but every function in the enterprise has a role to play. For success, each business unit must own and embrace cybersecurity as a priority. Tension between a decentralized business model and cybersecurity’s desire for centralization requires high-level management attention to resolve conflicts. Decentralization favors local decision-making by each unit; on the other hand, cybersecurity must by its nature be centralized, and at times must seek to override those local decisions. Accordingly, IT or the DPO should report to a senior management member who can oversee the enterprise’s cybersecurity program decision-making, and to whom the board can look as accountable for cybersecurity.
(Continued on page 2)