You wake up one morning, scroll through your inbox and notice an email titled “Corporate Sensitive - Special Meeting” marked high priority from the company employing you as a board member.
Within the email are suggested dates and times for an urgent meeting to discuss a cyber security incident. The agenda includes Cyber Breach Incident Description, Incident Response, Media and Customer Notification Protocol, Shareholder/Stakeholder Impact, and Legal Guidance.
Up to now, your contribution to the board has been based on years of operational experience guiding the company through efficient delivery of products and services. You figure that's why you were hired and are proud of the value you've added to the company. Besides, since 2014, cybersecurity and technology risk have become regular topics and a small portion of board meeting time has been carved-out for the CIO or the CISO to provide cybersecurity briefings. You are pretty accustomed to hearing cybersecurity jargon such as threat actors, vulnerabilities, and cybersecurity controls. And although terms like threat, vulnerability, and “risk” seem to be used interchangeably, everyone around the table typically nods in agreement and appears to understand the overarching message.
With every new update, the impression is that the organization is progressively managing cyber risk better because the NIST or ISO cybersecurity framework scores continue to improve. Many cybersecurity findings have started out labelled “red” or “high” and have progressed to orange, yellow, or "medium-low" risk. Some good questions follow such as “How are we doing compared to others in our industry?” or, “Are we spending as much as our competitors or peers on cybersecurity?” If we're keeping up with best practices, we must be doing well.
As you reply to the email with the dates you're available to meet, you start to worry less about this meeting. You and the board have been talking about cybersecurity for a long time, you've all done your job well.
Board Member Fiduciary Responsibility
Or have you? What is the fiduciary responsibility of a board member? And with cybersecurity a relatively new phenomenon, how does it impact that responsibility?
Nearly four years have passed following the first widely publicized cyber breaches of major retailers, financial services, and healthcare companies. In 2014, some (not all) board directors received a liability hall pass because under Caremark case law a board of directors can only be held liable for failing to appropriately monitor and supervise the corporation where they have engaged in a "sustained or systematic failure" to exercise oversight. Due to the lack of attention and formal cyber risk management oversight at the enterprise level, plaintiffs were hard-pressed to win judgments in technology or cyber-risk board-level oversight cases.
The continuous barrage of cyber breaches recognized by the media has drastically changed board-level oversight expectations.
A board’s risk oversight responsibilities, derived primarily from state law fiduciary duties, federal and state laws and regulations, Securities and Exchange Commission requirements, and certain established best practices have evolved to include extensive technology/cybersecurity risk oversight expectations. Although the lack-of-information excuse worked in 2014, the mantra has clearly changed to “ignorance is no excuse”. Board directors are on the hook for technology and cyber risk.
Cyber risk management is or should be built into every Enterprise Risk Management program and be included in board-level oversight. As part of their oversight role, board directors have a fiduciary responsibility to ensure company executives implement any reporting, information systems, or controls to monitor and oversee operations, and this obviously applies to technology and cyber risk.
|For more on case law that may have a material impact on board directors, see this article from Forbes: Shareholders Sue Companies For Lying About Cyber Security.|
Improving Board-level Oversight of Cybersecurity in 2018
With regards to the above scenario, the questions and thoughts that should run through your mind are “will this event result in a material financial impact to the company? What’s the impact to our customers? Were customer records, corporate confidential information, or intellectual property compromised? Are systems down, customers or business operations affected? Quick, turn on the news! Whew, nothing alarming in the news!" At the same time, those questions are being asked too late. Instead, following are some ideas to help ensure the company is managing cybersecurity risk effectively and prepared to respond when an event occurs.
Do we know what our key assets are?
Are we getting a clear, confident and well documented answer to this question? The CIO and the CISOs must be fully aware of all critical corporate assets (including data), where they reside, and what business processes they support. Knowing what your crown jewels are is key when an outage or breach impacts the confidentiality, integrity, or availability of your key systems or corporate sensitive data.
Are we following an established cybersecurity framework?
Did the cybersecurity organization standardize around an established cyber security framework, like NIST 800-53, NIST CSF, or ISO270xx? These frameworks establish a list of minimum best practices and controls that an organization can implement in order to reduce cyber risk. Ensure that consistent and regular reporting on the implementation and effectiveness of these best practices is in place.
Are we measuring and managing cyber risk?
Does the organization know how much and what type of financial loss exposure is associated with cyber events? Are we more subject to privacy liability, reputational losses or loss of productivity? Are we spending too much or too little, based on this loss exposure? How much appetite do we have for cyber risk? Ensure the cyber risk officers are leveraging standard risk analytic models such as FAIR, that allow organizations to articulate cyber risk in financial terms, conduct effective cost-benefit analysis and prioritize the security initiatives that reduce risk the most.
FAIR has been an international Standard since 2013 and organizations can no longer plead ignorance in case law regarding effective identification, measurement, and management of cyber risk. With FAIR, board members can be well informed on the probable frequency and probable magnitude of significant cyber events.
|FAIR is a standard by The Open Group and has been selected by the world's largest organizations as their risk model of choice. It complements risk management frameworks by adding an economic dimension to their lists of best practices. Learn more about FAIR.|
Do we have a business-aligned risk dashboard?
Is our risk management program prioritizing the most important issues and selecting the most-effective controls, cost-efficiently? Hold the CISO organization accountable for business-aligned risk management metrics. Ensure they have read the company’s 10K, understand the company's business, are familiar with the operating metrics as well as with financial-based risk reporting from other specialty risk disciplines.
- Require annual and quarterly top cyber risk reports
- Ensure the CISO has prioritized the cybersecurity budget and related risk mitigation initiatives to address the top risks
- Require quarterly and annual trend reports to ensure sustained progress is being made
Risk analysis models, data sources, and cyber/technology risk quantification applications have matured significantly since the first media-sensationalized breaches. Board directors should expect a bit of risk management maturity within the cybersecurity discipline. Cyber risk can and should be quantified into financial terms.
Are our cyber risk leaders up to the task?
Do our CIO and our CISO know how to translate the value of cybersecurity in financial terms? Can they speak the language of the business? Set the right expectations in terms of risk reporting, but also consider directing them to professional development and training activities where they can develop such skills. Consider the FAIR training and certification course by RiskLens Academy, a training organization accredited by The Open Group, that has trained hundreds of cyber risk professionals and turned them into business-aligned executives.
|Acting on these questions will ensure that you will have taken a true risk management approach to technology and cybersecurity oversight. It may not fully prevent you from receiving that dreaded Board Director Special Meeting email, but your duty of care requirement will be met.|