Board Oversight of Cyber-Risks
Over the last few years, “cyber” has moved from science fiction to business reality. I am not sure why we changed from talking about information security to cyber, but I am told (yet not convinced) that there is a difference.
In any event, boards and top management need to be concerned with cyber-risks because of the potential harm an adverse incident can cause to the organization’s reputation and trust, intellectual property, and compliance with applicable laws and regulations – and the business disruption can be even greater.
But how much should boards get involved? Should we expect directors to ask for and inquire about details, or should they instead ask probing questions and satisfy themselves that management has appropriate mechanisms in place?
Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).
I like their five principles, especially the first two:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
While some would like to see information security (a.k.a. cybersecurity) as an issue that merits attention all by itself, the potential effect on the entire business and its ability to achieve its objectives justifies cyber being recognized as a business and not “just” an IT issue.
In fact, the level of risk associated with any cybersecurity failure should be measured like any risk, in terms of its effect on the achievement of enterprise objectives. This means that the interrelationship between cyber and revenue generation, customer satisfaction, and so on all need to be considered.
In addition, the investment the organization makes in cybersecurity should be commensurate with the level of risk and balanced against competing needs for capital from other aspects of the business.
Should there be an IT committee of the board? Should the board have several cyber experts who can understand and provide effective oversight? I think the answer is “it depends” – on the level of risk that cyber represents to the organization and whether the board can use the services of experts (such as within risk management and/or internal audit) to fill any knowledge gaps.
I agree with the NACD that the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. I believe they should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programs for managing it.
Do you agree?
- Transforming Cybersecurity (Deloitte)
- Why senior leaders are the front line against cyberattacks (McKinsey article)
- Shifting Risks and IT Complexities Create Demands for New Enterprise Security Strategies (IDC White Paper)
- Lessons from Target’s Security Breach (Cutter)