In this blog post, I will share my thoughts on why cyber risk is considered a board level fiduciary responsibility, the need for a globally sourced set of board level cybersecurity best practices and conclude with some thoughts on the next steps to help mitigate board-level cyber risk liability.
Jane, as the Chair of a midsized US corporation, is getting ready to address the press about her company’s recent acquisition of a promising manufacturer of post-COVID safety products. She is aware of an industry alert identifying similar companies as being potential targets of a substantial cybersecurity attack.
FAIR Institute Member Robert R. Patterson, AIFA®, is Co-Founder and President of Diogenes-FG, offering fiduciary consulting and training for CEFEX certification in Richmond, VA.
She recalls an article in the Harvard Business Review which had pointed out that cybersecurity falls under the fiduciary responsibilities of the board. That information, coming as it had after a relatively minor breach into her company, had prompted the board to take steps to minimize what risks they could. They implemented policies and procedures in accordance with the NIST/FAIR guidelines. Now as board chair, Jane is in position to guide the company through the final implementation of best policies and methods for cyber security.
Knowing that cyber security breaches can wipe out billions in a company’s capital value because of the market’s lack of trust, Jane is confident that the board has both the best practice policies and 80% of the procedures in place to have covered their fiduciary liability.
Why is cyber risk considered a board level fiduciary responsibility?
“Fiduciary duty requires board members to stay objective, unselfish, responsible, honest, trustworthy, and efficient. Board members, as stewards of public trust, must always act for the good of the organization, rather than for the benefit of themselves. They need to exercise reasonable care in all decision making, without placing the organization under unnecessary risk.”
Another way of saying this is that fiduciaries must execute their best “business judgement” when making decisions that are not easily reduced to a set of binary choices.
The term “fiduciary” is most often used in managing private trusts, pension funds, or health savings accounts. In our work advising US and international organizations during the last 30 years, we have become familiar with the difficulty that boards have in understanding what that really means. It wasn’t until the 1990’s that a set of ISO 9000 – based best practices were developed which gave pension fiduciaries the means to assess their conformance. Those standards are focused on process and not on results. For example, determining whether or not “the level of volatility the portfolio is exposed to is understood by the investment steward, and the qualitative and quantitative factors that are considered are documented” is not easily quantified.
So, what does this have to do with board members and cyber security? In the seminal 2015 ruling in the Tibble v. Edison International (13-550), the United States Supreme Court held that
“Because a fiduciary normally has a continuing duty to monitor investments and remove imprudent ones, a plaintiff may allege that a fiduciary breached a duty of prudence by failing to properly monitor investments and remove imprudent ones.”
I believe that the increase in cybersecurity breaches, incidents, and subsequent litigation highlight how board fiduciary liability has expanded to include intellectual property, customer and employee information, and other sensitive information. Indeed, in their article published in the Harvard Law School Forum on Corporate Governance (20 March 2018) titled “Risk Management and the Board of Directors”, the authors suggested that
“…while it is true that the Delaware Supreme Court has not indicated a willingness to alter the strong protection afforded to directors under the business judgment rule that underpins Caremark and its progeny, cases such as In re Wells Fargo and Chief Justice Strine’s dissent in Good should serve as reminders that board processes and decision-making may still be questioned where there are specific allegations that directors ignored “red flags,”… Companies should adhere to reasonable and prudent practices and should not structure their risk management policies around only the minimum requirements needed to satisfy the business judgment rule.
It is this “business judgement” which is at the heart of the issue when it comes to boards understanding and monitoring their cyber fiduciary liability. Unlike the pension industry where there are existing, global, board level ISO-based best practices, there are currently no agreed upon principles or practices in cyber security to help boards evaluate their decisions on the subject.
The issue becomes even more complex when boards are faced with trying to understand how cyber risk fits into enterprise risk. Professor Didier Cossin, Professor at IMD in Switzerland and Founder/Director of the IMD Global Board Centre explains it this way in his book, “High Performance Boards: Improving and Energizing Your Governance”:
“In general, with integrated risk thinking, we are getting to the point where boards will rely more on their business sense and the company’s processes than on complex risk models.”
As fiduciaries of all their company’s assets, Board members must increasingly look to their business judgements in making tactical and longer-term decisions regarding cybersecurity. As with the holding in the Tibble case and as Professor Cossin suggests, this requires a different approach to cyber risk board governance than has been practiced.
We have defined the problem as being one that requires a different approach to help boards understand how cyber risk fits into strategic risk management. We understand that not all cyber risk decisions at the board level are binary, and we understand the need for a set of best practices that seek to help boards understand and fulfill their fiduciary liability by providing an ongoing process to manage/monitor their decisions.
The FAIR approach to managing cyber risk brings a much-needed resource to help quantitatively assess and track cyber risk vis-à-vis the NIST Protocols. Until now there has not been a reliable method for how to assess technical conformance. Now, in conjunction with the NIST Framework, CISOs and others can more effectively anticipate and plan for potential risk. This, in turn, provides the Board with the confidence that management is doing a good job.
Advance your career in risk or security. Get FAIR training through the FAIR Institute.
As discussed earlier, boards have the additional responsibilities of managing cyber risk within the organization’s overall strategic risk, as well as monitoring the risk management process on an ongoing basis. This requires a set of global best practices similar to those used in the pension domain. Should a board be sued in relation to a cyberattack under the fiduciary liability rubric, they would be hard pressed to meet the Tibble standard.
As an example, the complexities of assessing compliance to best practices in the pension domain can be very difficult. Much of the assessment is qualitative in nature since it reflects business judgement and thus is not binary. For example, Practice 1.1 “The Investment Steward demonstrates an awareness of fiduciary duties and responsibilities” is usually confirmed by a document signed annually by the members attesting to their awareness. Does the document in question sufficiently summarize the fiduciary duties and responsibilities? That is where the qualitative judgment call is made.
The paradigm shift in cybersecurity requires a different approach, one that is based on real business judgement by boards. I suggest that a set of cyber risk best practices, distilled from experienced board members, CISO’s and other advisors be developed independently. These practices must be almost organic, allowing for constant updates as new information is incorporated. While business associations, trade organizations and other entities have their own
efforts in this area, the big picture is that there is a multiplicity of practices without a standard for what works and what doesn’t on a global basis.
The primary focus of management and staff is on the operations. Best fiduciary practices like those for the pension domain reflect the combination of quantitative tools for measuring risk and qualitative tools for interpreting them. What is needed is input from board members to complement inhouse expertise to design an agreed-upon set of best practices that would applicable regardless of the residence of a corporation or its subsidiaries.
A wide, geographically based group of board members from different companies and cultures should be organized to share their practical knowledge. Since the standards are starting from scratch, my suggestion is to use a form of Artificial Intelligence (AI) which is already familiar to the designers of the FAIR system: Bayesian Inference (BI). BI meets the requirements of the problem: the elicitation of expert knowledge, synthesizing it where possible, and providing a means to update the practices as new knowledge becomes available. One of the best examples of such an approach was that used by the founders of BayesiaLab in quickly bringing together a group of world experts to develop COVID Epidemic modelling.
The paradigm shift in cyber security urgently requires a new, more innovative approach to defining board level practices that meet the immediate demand and which can be updated on a regular basis as new information becomes available. Using an Artificial Intelligence tool like Bayesian Inference, this can be done both efficiently and cost effectively.
Video: How Boards Exercise Proper Cyber Risk Oversight – Tips for Directors from the FAIR Conference