When it comes to cyber security, boards of directors fear nothing as much as the unknown. Some 82% of board members are secure in their management’s ability to address known risks, but only 19% have the same confidence about atypical, disruptive risks, according to the 2019 Governance Outlook from the National Association of Corporate Directors (NACD).
As they deal with their oversight duties, board members need to ask a related question: Are they themselves sufficiently in the know? Board members need to ask three questions to ensure they’re receiving the right information to perform their governance duties.
Are risk briefings aligned with strategic goals?
The NACD report concluded boards should “challenge” managers to provide them with timely information. During risk briefings, the CIO might tell the board how many vulnerabilities were patched. Such metrics, while useful, are simply proxies for risk. The real question is whether the discussion of risk is tied to the firm’s strategic goals.
“A software-as-a-service company, which is focused on high growth, might inherently have a higher degree of risk,” says David Ross, the cyber security practice leader for Baker Tilly, an accountant firm that partnered on the NACD report. “An established manufacturer might be able to circle the wagons and minimize their risk.”
Ross says boards need to avoid disconnects where they are focused on risk, and the technology people are talking about bits and bytes. As boards engage management in cyber security risk discussions, directors should expect management to produce reports on the effectiveness of the organization’s cyber security-risk management program.
“The board needs to ask things like, ‘Your cyber controls look good on paper, but how do you know it actually works?’” Ross says. “Sometimes the board needs to get a third party to perform a cyber security audit or do a penetration test. Sometimes the board needs to push management to run a practice exercise, such as restore from backup.”
Are we focusing on the newest risks instead of the most important risks?
Some 70% of directors believe their boards need to strengthen their understanding of the risks and opportunities affecting company performance, according to the NACD.
New types of risks constantly appear – from ransomware (hijacking computer systems for ransom) to business email compromise (posing as a trusted party to swindle the company) to cryptojacking (malware that secretly taps into digital currency). Board members need to be apprised of the latest threat trends. At the same time, they must focus on whether the company is protecting against the costliest threats to their organization.
“Whether you should be reactive or proactive around risks will vary from company to company,” Ross said. “For some companies, it will be fine to 95% reactive.”
Board members need to be apprised of the latest threat trends. At the same time, they must focus on whether the company is protecting against the costliest threats to their organization.
For example, the board of a large hospital was concerned about ransomware, where a hacker blocks access to computer systems until a sum of money is paid. After Ross probed them, the board members realized a ransomware attack wouldn’t compromise the hospital’s mission. It might prevent the hospital from billing for treatment, but it wouldn’t hinder ER doctors from treating a gunshot wound.
The board determined a ransomware attack could shut down the main hospital systems for six days before the situation became dire. The board then discovered a disaster-recovery plan for dealing with a hurricane in which the entire IT system could be restored in six days. That discovery changed their view of how much attention to devote to ransomware.
However, this process focused board may have overlooked a risk. Hackers could potentially infiltrate the hospital’s blood bank, turn up the temperature to ruin the blood supply, and prevent the hospital from functioning. “The odds of that happening were much smaller than a ransomware attack, but the risk was much greater,” Ross said.
Do investors adequately understand the board’s role in overseeing risks?
In the past year, the Securities and Exchange Commission (SEC) urged public companies to inform shareholders of important cyber security risks. The NACD report counseled boards “to stay vigilant and ensure that there are adequate policies and mechanisms in place to keep directors informed of these regulatory developments, and they will need to understand how management intends to address them.”
Directors need managers to inform them about three key issues:
- Does the company’s cyber security plan include consideration of timely disclosure of cyber-related issues?
- How timely and in what manner are cyber security incidents communicated to the board?
- Is there appropriate disclosure of the board’s role in the oversight of cyber security risk?
The extent of regulatory change is staggering, so keeping abreast of evolving issues is critical. “The new Nevada privacy law went from draft to law to deployment in five months,” Ross said. “Regulations don’t move that fast typically.”
In cyber security, though, fast is the new normal, and boards need to remain diligent and in the know to keep up with their governance role.