Home > Risk > Cyber and the board

Cyber and the board

There’s an interesting article in the Harvard Law School Forum on Corporate Governance and Financial Regulation. What the Capital One Hack Means for Boards of Directors has some interesting insights that merit the attention of risk, cyber, audit, and governance practitioners.

Much of the article is useful background information for board members, in particular the discussion on how hackers penetrate third parties (or fourth parties) as a way of gaining access to your network and its systems and data.

Here are some other interesting comments:

  • …vendors, partners, business associates, and other third parties whose outsourced operations become integrated within a company, can pose a challenging and existential cybersecurity threat to operations. Yet despite increased regulatory scrutiny; growing virtual threats at a global, national and state level; and a riskier business environment, most experts would attest that the relative maturity level of vendor risk management programs is still lacking.
  • …digital interconnectivity between vendor and customer creates an inherent risk as cybersecurity shortcomings of third-party vendors have become the go-to-attack vector for cybercriminals. In fact, PWC reports that 63% of all cyber-attacks could be traced either directly or indirectly to third parties.
  • Given the explosive growth of outsourced technology services and the increasingly intimate cyber-integration and relationship of companies and third party vendors, boards need to monitor and challenge their third-party exposure and insure the proper implementation of safeguards and processes to reduce their vulnerability.
  • …cybersecurity engagement for boards does not mean that board members must obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts.

The article focuses almost exclusively on breaches that result from weakness outside the enterprise network and its defenses. That is a limitation that should not be overlooked. There is much more to cyber risk.

But my main problem with the piece is that it asks too much of directors.

The board should not be asking all these (excellent) questions. It should be demanding that management have the answers.

It is not the role of the board to run the organization, understand, and then address all its business risks – including cyber.

It is the role of the board to ensure management is doing all of that well.

So:

  1. The board should obtain assurance that management is capable of running the organization to achieve its objectives. That includes addressing cyber and other sources of risk.
  2. Management should ensure it has the answers to the questions in the article.
  3. The CISO, Risk Management, and Internal Audit can use the questions in the article for their own practices.
  4. Internal Audit should consider cyber risk in its planning and, where it is a serious source of risk, provide an objective assessment of the maturity of cyber prevention, detection, and response processes and controls.

I welcome your comments.

 

Advertisements
  1. August 24, 2019 at 7:17 PM

    Hello Norman, I agree with you that it is for the board to obtain assurances, and for management to do the work. However, various cases have held a board responsible for ignoring or not addressing red flags. Additionally, and this is a difficult issue, it can be argued that the members of a board, or of a risk committee, or of an audit committee, should have some level of understanding about the subject matter to ask intelligent questions and intelligently evaluate responses. The following is a summary of the business judgment rule.

    II. THE BUSINESS JUDGMENT RULE

    The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. I have started with the business judgment rule because it provides a very good overall approach for directors and audit committee members to follow, although lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.

    In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

    -In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

    -In a manner that the director reasonably believes to be in the best interests of the corporation and its shareholders; and

    -With the care, including reasonable inquiry, that an ordinarily prudent person in a like position with like expertise would use under similar circumstances.

    Reliance Upon Other People Under the Business Judgment Rule

    In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. The director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

    -Officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the relevant matters;

    -Legal counsel, independent accountants or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or

    -A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

    Stated differently the following is from my two page summary of the business judgment rule written in more conversational English.

    2-PAGE BOARD & DIRECTOR OVERSIGHT GUIDELINES
    Dave Tate, Esq. (San Francisco)
    http://auditcommitteeupdate.com

    This paper is applicable for all entities – public companies, private companies and organizations, nonprofits and governmental entities – although depending on the entity type or situation, sometimes the terminology or context might be different. These guidelines will help the prudent director accomplish his or her responsibilities. This paper is comprised of two primary sections: Overall Guidelines and Oversight Areas. Some of these guidelines are simply prudent business judgment, which might also be a legal defense to allegations of director wrongdoing. Some of the guidelines are required by law.

    The following 10 board and director Overall Guidelines are grouped into two areas: general and specific. I have intentionally avoided a checklist approach. The 10 Overall Guidelines are primarily based on the business judgment rule and related statutes, regulations and rules. See also the Oversight Areas topic that follows.

    OVERALL GUIDELINES

    There are 4 general guidelines, not in any particular order:

    1. Act with integrity, honesty and professionalism, and without self-dealing, self-interest or conflict of interest, and require that of others.

    2. Act in the manner that you believe is best for the organization, and require that of others, even if at times it isn’t comfortable for you to do so.

    3. Be heard and actively involved, speak up, and be counted, with the appropriate “working together” demeanor.

    4. Be a leader, by example.

    The remaining guidelines, numbers 5 through 10 are more specific. Again not in any particular order:

    5. Know your responsibilities, and make sure the other people are in agreement about your responsibilities. Some people might refer to this as having a charter, but I believe this guideline requires more detail and understanding than a typical charter. You should also be analyzing and revising or updating your board and committee charters and responsibilities. Right now, for example, especially for activities having to do with risk management, and cybersecurity.

    6. Acquire the information that you need so that you can accomplish your responsibilities, by exercising active, timely and inquiring diligence and follow-up, talking with people and acquiring information.

    7. Timely possess and acquire the knowledge and education that you need so that you know your responsibilities and are prepared to perform your responsibilities, address the issues, and act with prudence.

    8. Rely on other people including information provided by other people only if (1) you believe those people are reliable and competent in the areas that they are addressing, (2) your reliance is in good faith, after reasonable inquiry as warranted by the circumstances, and (3) you do not have knowledge that would cause reliance to be unwarranted.
    And as a sub-set of number 8, ask the people who you are relying on for information the following question, “What else do you know that I should also know?”

    9. Make diligent informed decisions in keeping with these guidelines, including the difficult decisions.

    10. And for number 10 I have included a suggestion. Take time to reflect on the organization, the board and the board committees, important issues and topics, and how things are going, what needs to happen, and things about which you have questions. Then, communicate the issues, topics and actions that you believe need to be addressed, in keeping with the organization’s mission and your responsibilities.

    Number 10 also relates to board and committee agenda setting. To whom do you communicate proposed agenda issues and topics? Are your issues and topics given due consideration?

    Of course, accomplishing director responsibilities is also a function of the board’s overall governance, operations, expertise, functioning and atmosphere of professionalism. And remember the annual or more often evaluation of the board and its committees.

  2. Norman Marks
    August 25, 2019 at 6:26 AM

    Thank you, David, for sharing this. I was well aware of it. They key is to have a basis for believing management is capable – and that does not mean that you have to be able to ask questions in the level of detail described in the article.

    If the board is receiving assurances about risk management capabilities and processes from internal audit and the CRO, and asking questions to probe management, that should be sufficient.

    The board cannot have this level of detailed understanding of every aspect of the business and its environment.

  1. August 27, 2019 at 4:51 AM

Leave a Reply to David Tate, Esq. Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: