Published in, The Credit Union Times
By Stuart R. Levine
Our hyperconnected world poses a governance and oversight challenge for boards. Regardless of the industry or size, every organization is truly vulnerable to threats to its intellectual property and data. One misstep can cause untold costs from compromised data, loss of customer trust, diminished competitive position, fines, lawsuits and damaged reputation.
Recently, I moderated a panel for the National Association of Corporate Directors on this topic. NACD’s “Public Company Governance Survey” reported that 87% of respondents felt that their board needed improvement in its knowledge of information technology, including security. Moreover, this disquiet extends to management. Deloitte recently surveyed 101 CFOs (most at companies with greater than $1 billion in revenues) and only 10% said they were well prepared for a major cybersecurity crisis, while almost 25% were insufficiently prepared.
Boards must effectively oversee and approve management of cybersecurity risk planning. They need current and complete information about the company’s overall data protection program. Yet, a recent NACD survey found that only 12 percent of board members said they frequently receive briefings on cyber-threat mitigation. Over 60 percent of boards did not regularly receive such reports, and 26 percent rarely or never received them. These statistics do not reflect well on boards and their effective governance practices.
This combination of lack of knowledge and lack of information is a dangerous mix. More than ever, it is imperative that boards are well equipped to handle the situation. A number of high-profile data breaches have caused boards to deal with security issues that they once left to technology experts.
Directors too often are not conversant in data protection and cybersecurity. Some directors may find themselves struggling to find the right balance between the basic understanding required for oversight and the much greater level of expertise needed for organizational protection. Directors do not need to be subject experts; they are elected for their judgment. A director, however, must attain a sufficient level of knowledge to ask management suitable questions about cyber-risk mitigation, just as with overall ERM. They must feel a sufficient level of comfort with the subject to challenge the company’s technical experts. Furthermore, dealing with such a difficult technical subject can cause the director to be uncertain of the line between fiduciary oversight and management level issues. A director needs insight to avoid intruding on management’s responsibility.
An educational program for board members will help. The board’s existing advisors, especially those with industry-wide and multi-company experience, such as independent auditors and outside counsel, can provide briefings. Other experts, like cyber-security firms, government agencies and industry associations can also provide educate. Some boards consider recruiting directors with cybersecurity expertise, while they keep in mind the balance required among other needed skills.
The board must determine that management has carefully thought through cyber-risk in devising the organization’s ERM plan. Just as board members may need a cyber-learning program, senior management might need to up its game as well. A lack of technical appreciation by senior management can result in sub-optimal cyber preparedness, as well as inadequate communication to the board from the C-suite.
Moreover, senior management must make certain that they are adequately informed. According to a recent survey by the Ponemon Institute, which researches cybersecurity, about 60 percent of the 600 IT professionals it queried generally do not report cyber-risks until they believe them to be urgent – when the problem is then often more difficult to handle.
Boards should be mindful of the legal risks posed by cyber-attacks, should one occur, especially as this is an evolving area of law. Attacks may generate lawsuits, including allegations that the board neglected its fiduciary duty by failing to confirm sufficient cyber-risk protection. Cyber insurance may help, but as with cyber-law, the cyber-insurance market is still evolving.
The data protection team that management assembles must be properly structured to be most effective. The team leader should have cross-departmental authority; the CFO, COO or CRO are all possibilities. This leadership approach signals that data protection and cybersecurity is not just a technology issue involving the IT cost center, led by the CIO. It is a critical, comprehensive company-wide risk management issue that impacts the whole organization.
Cybersecurity affects all levels of business activity. The nature of the threat is formidable because of its complexity and speed of evolution. Directors need to continuously address it. Attentiveness by every board is required. Directors don’t need to become experts but they do need to frame the right questions to prevent the potent degrading of a corporation from a cyber attack.