The rapidly evolving landscape for enterprise risk management with respect to information security is one of the most sobering challenges facing corporate directors today. Directors know that their oversight responsibilities require them to balance security concerns with profitability, but they also know that the two considerations are inextricably linked in an era where corporate asset value is derived more from Intellectual Property and digital assets than it is from physical equipment and facilities.
With that context, a report released recently by the National Association of Corporate Directors (NACD) is very instructive for not just board members themselves, but also for in-house counsel at American corporations and the outside law firms that assist them. The report was developed based on a 2017 NACD survey of corporate directors nationwide. Consider these sobering findings published in the NACD report, based on data collected from various third-party sources:
- – The median number of days an organization is compromised before discovering a cyber breach is 146.
- – 53% of cyberattacks are first identified by law enforcement or third parties, fewer than half are discovered internally.
- – 48% of cyber breaches result from criminal or malicious attacks, and 80% of those “black hat” hackers are affiliated with organized crime.
- – Fewer than half of IT security professionals inspect the cloud for malware, despite the fact that 49% of all business applications are now stored in the cloud.
- – Nearly 4 in 10 IT organizations (38%) do not have a defined process for reviewing their cyber breach response plans.
In an effort to help corporate directors more aggressively perform their oversight duties with respect to cyber risk management, the NACD’s Cyber-Risk Oversight Handbook lays out five principles that all corporate board members should consider when contemplating their organization’s cybersecurity strategy.
1. Consider the whole enterprise. The NACD advises that directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. “Historically, corporations have categorized information security as a technical or operational issue to be handled by the IT department,” according to the report. “This misunderstanding is fed by siloed corporate structures that may leave functions and business units within the organization feeling disconnected from responsibility for the security of their own data.” Instead, cybersecurity ought to be an enterprise-wide risk management consideration that is addressed the same way an organization assesses risks associated with physical assets, “from a strategic, cross-departmental and economic perspective.”
2. Know the law. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances, says the NACD. “Directors should ask management to solicit external counsel’s point of view on potential disclosure considerations related to forward-looking risk factors, and also in terms of the company’s game plan for response to a major breach or other cyber incident,” according to the report. “As disclosure standards, regulatory guidance, formal requirements and company circumstances all continue to evolve, management and directors should expect to be updated on a regular basis by counsel.” The legal and regulatory landscape related to data security is constantly evolving. Board members need to stay aware of current liability issues faced by the organization.
3. Access to expertise. The NACD recommends that directors have adequate access to cybersecurity expertise, and that discussions about cyber risk management be given regular and adequate time on board meeting agendas. “As the cyber threat has grown, the responsibility and expectations of board members has grown also,” says the NACD handbook. “Directors need to do more than simply understand that threats exist and receive reports from management. They need to employ the same principles of inquiry and constructive challenge that are standard features of board management discussions about strategy and company performance.” Just 14% of directors believe their board has a “high” level of knowledge of cybersecurity risk, according to the NACD survey.
4. Commit the necessary resources. Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget, advises the NACD. “Technology integrates modern organizations, whether workers are across the hall or halfway around the world,” writes the NACD experts. “But the reporting structures and decision-making processes at many companies are legacies of a siloed and unintegrated past, where each department and business unit makes decisions relatively independently, and without fully taking into account the digital interdependency that is a fact of modern life.” The solution is for directors to seek assurances that management is taking an enterprise-wide approach to cybersecurity and allocating sufficient budget to carry out the tactical work that must be done. As with any battle, this one can only be waged with adequate resources committed to the fight.
5. Pro-actively manage the risks. The NACD recommends that board-management discussions about cyber risk should include the identification of which risks to avoid, which risks to accept, and which risks to mitigate or transfer through insurance — as well as specific plans associated with each approach. “Management teams need to determine where, on a spectrum of risk, they believe the firm’s operations and controls have been optimized,” according to the NACD report. “As with other areas of risk, an organization’s cyber risk tolerance must be consistent with its strategy and, in turn, its resource allocation choices.” A complete lockdown of digital assets is unrealistic, so directors must do the tough pro-active work of providing management with guidelines on their risk appetite with respect to data security and then seek assurances that management has devised organizational priorities for cyber risk management. The cybersecurity threat is real and substantial for any enterprise. Corporate directors can play an important role in effective cyber risk management by following these five crucial principles identified by the NACD and working with management teams, in-house counsel and their outside law firms to identify potential gaps in the company’s existing defense plans.