By Stuart R. Levine
Published in AGENDA
Boards need to ensure they have proper oversight of cyber-security issues, but creating another committee will not solve the problem.
Directors still need to keep up with the pace of change. Ocean Tomo, a merchant bank specializing in intellectual property, estimates that intangible assets represent 84% of the value of the S&P 500. McKinsey Global Institute estimates that over the next five to seven years, $9 trillion to $21 trillion of global economic value creation will be information related, representing a 10% to 20% increase over current global GDP levels.
The stakes are undoubtedly high, and the solution to overseeing information assets requires a combined effort between boards and senior management rather than delegating the task to a newly formed cyber-security committee. One of the problems with creating more committees is that boards may struggle to populate them with enough cyber-security experts. A better solution is to strengthen enterprise risk management practices that CEOs and CIOs are responsible for, and on which they regularly report to the board. Once the board agrees on policies and procedures for overseeing risk, a framework can be built where the internal business leaders work together, navigate the internal complexities and protect assets as best as they can.
However, the creation of an informed cyber-security culture of protection that permeates the organization should not then become the sole responsibility of IT. Cyber-security needs to be driven by both the CEO and the CIO. The CIO must report to the CEO with current unfettered thinking, to ensure that if there are capital investments and equipment required, this process can be accelerated.
Some companies have yet to develop policies on how to respond to a breach, which is an unacceptable practice. Responding to a breach requires clear thinking and pre-existing response processes, such as notifying the board, senior officers, leadership team and customers as well as the appropriate federal authorities. This internal communication plan and response to protect the company’s assets, including its reputation and brand, is essential.
Building response protocols can only be done after boards complete so-called fishing expeditions that check if protocols exist in the first place and if they are being handled effectively. Boards need to ensure that both they and their CIO are familiar with the current cyber-security framework released by the National Institute of Standards and Technology. This establishes a common language and serves as a guidepost for understanding shifting regulatory expectations in the areas of cyber-risk management, privacy safeguards, information sharing and resiliency.
Boards should also review their existing charters to ensure alignment related to cyber security. Fundamentally, the audit committee, in most cases, grabs hold of these issues, and a company’s internal teams should report to them formally and regularly. Enterprise risk management teams tend to find that heat maps are the most compelling way to explain cyber-security risks facing the company and these should be used for both board-level and executive-level reports. While it helps to have the audit committee look at these formalized reports, ultimately the full board should have the greater responsibility for risk oversight. The Treadway Commission provides guidance on monitoring internal control systems as well as other educational organizations such as the National Association of Corporate Directors. This learning can become part of board education through the governance committee. Directors will be in a better position if they: have access to the right information and the most useful performance metrics to track and assess the organization’s most prized information; receive regular reports; oversee periodic testing of cyber breach response plans; and ensure that the board is up to speed about cyber threats.
Most boards work extremely hard to ensure the protection of shareholder value and the creation of a stand-alone board committee is probably not the correct answer. However, Ira Millstein, a governance scholar at Yale University and lawyer, believes the existing business judgment rule does not provide enough guidance to board members. Just a reminder that director’s actions will become more scrutinized with stricter standards for information practices in the boardroom.