Let’s be clear - The GDPR article 70 states that the board will get involved in cyber security. While cyber security may appear to many board members to be a daunting new risk, the long-established “tried and true” board governance approach to risk oversight described in this article works well and should be applied to cyber security risk.
Board duties generally fall within 6 categories:
With respect to cyber security, the board’s duties in each of these categories play a critical role in effective oversight of a company’s cyber security program.
Every director should have a general understanding of cyber security risk and what it means for directors’ oversight responsibilities. While the basic business-judgment obligations of directors are the same for this emerging area of risk, cyber security itself is a dynamic and complex subject. The purpose of this article is to provide a “plain English” review that helps boards of directors and senior managers carry out their cyber security oversight duties, including cyber strategy development and governance. Effective oversight in this area can mean the difference between “learning the hard way” and incurring significant damages, or successfully mitigating the damages that frequently accompany a significant breach.
While our article is specific to boards of directors, the fiduciary principles of oversight apply to senior management as well. Senior management also delegates and oversees, but at a more granular level than boards. In the end, senior managers should also follow the principles of this guide to establish proper oversight, ensure that sufficient processes and controls are in place and assure their boards that cyber risks are identified and managed well.
Cyber security oversight: The role of the board
For company management and boards of directors, a record number of recent incursions demonstrate that cyber security risk is as significant as other critical strategic, operational, financial and compliance risks under boards’ purviews.
Just as boards are charged with overseeing a company’s financial systems and controls, they also have a duty to oversee a company’s management of cyber security, including oversight of appropriate risk mitigation strategies, systems, processes and controls.
Without effective oversight and accountability, an organization’s cyber security governance systems, policies and procedures can be rendered meaningless, leaving the enterprise vulnerable to attack. In today’s world of continually reported material data breaches, boards cannot claim lack of awareness as a defense against allegations of oversight failures. Regulators and shareholders are increasingly demanding more evidence of director attentiveness to cyber risk. Several cases have demonstrated, breaches can result in calls for director removal. Even if directors are re-elected, the board and the company will likely face numerous shareholder derivative and class action lawsuits.
1. CYBER SECURITY GOVERNANCE
The first question for the board is: Who owns management of the cyber security risk at the board level and management level? Typically, boards delegate cyber security oversight to the audit committee—or to the risk committee if one is part of the board’s governance structure—for a more concentrated review, with periodic reports to the full board. Others approach cyber security as a matter to be overseen by the full board. Company size, industry and existing board risk management structures will dictate the best approach. For the foreseeable future, cyber security will require considerable attention by boards working with management, internal audit, enterprise risk management (ERM) and cyber security experts as the threats continue to evolve and the total enterprise seeks to adjust. Processes, systems and controls must remain fluid for the foreseeable future.
At the management level, the CEO is ultimately accountable to the board for management of cyber security risk. Often, a CEO looks to business information technology (IT) or, in larger organizations, a Data Protection Officer (DPO) - as to the EU GDPR guidelines - to interface with the board and hold accountability for cyber security risk management. This approach builds from a technology knowledge platform, but the major challenge is governance of the total enterprise requiring established management skills of communications, project management, behavioral science and command presence.
Technical solutions are one piece of managing the risk, but every function in the enterprise has a role to play. For success, each business unit must own and embrace cyber security as a priority. Tension between a decentralized business model and cyber security’s desire for centralization requires high-level management attention to resolve conflicts. Decentralization favors local decision-making by each unit; on the other hand, cyber security must by its nature be centralized, and at times must seek to override those local decisions. Accordingly, IT or the DPO should report to a senior management member who can oversee the enterprise’s cyber security program decision-making, and to whom the board can look as accountable for cyber security.
2. CYBER SECURITY STRATEGY AND RISK OVERSIGHT
Too often, IT presents boards with cyber security reports that are technical but lack an enterprise-wide strategic overlay. For effective oversight, boards should hold senior management accountable to ensure that a clear and concise cyber security strategy, understandable in nontechnical terms, is in place, along with systems and controls to monitor its implementation. This requires regular dialogue between the board and management, and the sharing of accurate and useful information, including metrics to track performance and provide accountability. Most importantly, a concise, high-level, “plain English” cyber security strategic plan must be agreed to by the board and senior management.