Cybersecurity incidents are unavoidable, but boards can govern in ways that make it much harder on adversaries to put the business at risk.
In the face of unrelenting pressure from major cyber incidents and regulatory action to mitigate them, enterprises are assessing whether they are doing enough to deal with cybersecurity. Public companies are evaluating responses to new SEC rules calling for disclosures regarding cybersecurity strategy, risk management, and governance practices. The SEC’s action against Solar Winds is setting off alarm bells throughout the cybersecurity community causing CISOs to worry about personal liability and companies to reassess their D&O policies. Who will be next?
Cybersecurity incidents are unavoidable. However, in many recent high-profile cases, these incidents have exposed governance/management weaknesses and disconnects between glowing boilerplate cybersecurity disclosure language and the actual substance of cybersecurity processes. Only after these incidents do companies go to great lengths to revamp their cybersecurity. Why not before? Can this be chalked up to the tendency of human nature not to prepare for the future or are there another reasons?
There is no doubt that SEC registrants will tighten up and expand their disclosure language, particularly considering that SEC disclosure rules kick in before year end, but perhaps there are more fundamental problems. Perhaps boards and C-Suites perceive their governance, management and implementation of cybersecurity processes and procedures to be adequate. If so, they must be surprised when incidents reveal facts that demonstrate otherwise? This article briefly questions the cybersecurity preparedness of many companies throughout corporate America whether public or private, primarily from a governance perspective.
Boards can be overwhelmed by the complexity of cybersecurity and the vast array of detailed management presentations addressing compliance, heat maps, penetration testing and the like without understanding their context. At the same time, they may also be comforted by management’s actions to deal with cybersecurity and not feel the need to do more. If so, are board members pushing cybersecurity governance out to the management team? The expression “Noses in, Fingers Out” is meant to stress the board’s responsibility to ask insightful questions, but not to manage the business. However, the reverse is also true. Governance cannot be delegated to the management team. Yet evidence from well publicized breaches suggest either a lack of governance or its delegation to management. Guidance on cybersecurity governance is available from NIST which is in the process of adding a “GOVERN” function to its cybersecurity framework as follows:
“GOVERN directs an understanding of organizational context; the establishment of strategy and cybersecurity supply chain risk management; roles, responsibilities and authorities; policies, processes, and procedures; and the oversight of cybersecurity strategy.”
Board adherence to some form of the GOVERN function is necessary to meet its fiduciary responsibility. For most business risks and challenges, experienced board members are well equipped to ask insightful questions, assess risk, and make governance decisions. However, in the past, the complex nature of cyber risk has caused many board members to shy away from cybersecurity and to not devote the time and energy required to fully understand and deal with the issue. This is unsustainable as incidents and regulatory pressures mount. Adding cybersecurity expertise to the board can be a partial fix for this problem so long as these additions are not viewed as a “check-the-box” solution which relieves the rest of the board from its fiduciary duty. We are only just beginning to see signs of a broader solution wherein the entire board is digging in and devoting the time and energy to understand this systemic risk to their business.
Here are sample questions board members are asking to make this happen:
- Is our board adhering to its fiduciary governance responsibility or delegating it to management?
- Does the board have a sufficient understanding of the enterprise’s business functions and interactions to contextualize cyber risk?
- Is the board and management properly structured and organized to deal with cyber risk?
- Has the enterprise adopted a robust cybersecurity framework it adheres to rigorously?
How does the framework fit into overall enterprise risk management?
- What criteria is used to make changes to cybersecurity spending?
- Does the board understand risk tolerance, and does it interact with management to develop a risk appetite?
- Does the board understand cybersecurity presentations by management or are they presented using tech jargon?
- Do cybersecurity policies and procedures include customer, third party, operational and software interfaces?
- How do cybersecurity compliance audits relate to governance?
- What procedures are in place to respond to and report cyber breaches?
- Does the board participate in tabletop exercises to train for responses to cyber incidents? Boards want to avoid closing the cybersecurity barn door only after an incident. To do so, they need to transform their perception of cybersecurity governance into reality.
Effective cybersecurity requires organizational changes necessary to govern and manage complex digital systems, educational changes to develop a common contextual “systems” understanding amongst the board and risk experts, and cultural changes to imprint upon the enterprise the importance of shared responsibility for cybersecurity.
The time for an enterprises-wide understanding of systemic cyber risk is today. There are no easy check-the-box solutions for cybersecurity.