Cybersecurity – what every board member should know.
T Whether you are a new board member or have spent many years on a board, it is crucial that you have a clear idea of what cybersecurity is and the risks it poses to your organization. According to a recent National Association of Corporate Directors (NACD) survey, sixty-one percent of directors report that they would be willing to compromise on cybersecurity to achieve business objectives, while twenty-eight percent prioritize cybersecurity above all else. These are radically opposite views, so naturally the next question is, which group is right? The difference in responses has to do with how executives view cybersecurity, some perceive it as a business enabler while others see it as an Information Technology (IT) or compliance issue. And others see cybersecurity as something to do with IT and technology and fail to appreciate the integral role cybersecurity plays in ensuring business operations run smoothly. To fully understand cybersecurity risks, we must first define cybersecurity: cybersecurity simply refers to the tools, techniques, and procedures a business uses to protect its data (proprietary, customer, patents etc.), devices (computers, servers, networks, laptops, phones etc.), systems (HR systems, accounting software, manufacturing processes, customized computer systems etc.) and other services. With this definition in mind, it is easy to see the vital role cybersecurity plays in ensuring businesses operate smoothly and successfully. For organizations to manage cyber risks effectively there needs to be a paradigm shift in the way senior leaders see cybersecurity. Business leaders must understand that cybersecurity goes beyond compliance and IT and is a key component of business strategy in our increasingly digital world. Simply stated: not having an adequate cybersecurity strategy that accounts for a business’s unique risks and ensures the necessary steps are taken to protect the business from bad actors is bad business and can threaten a business’s survival. Ultimately, company directors have a responsibility to act as advisors, question-askers, problem-solvers, and decision makers in things such as a business’s cybersecurity strategy. As such it is a director’s job to understand at a high level cybersecurity risks. According to the IBM report “How much does a data breach cost in 2022?”, the data breach average cost increased 2.6% from $4.24M in 2021 to $4.35M in 2022. With breach costs trending higher year over year, cyber attackers are getting more organized, investing in R&D, improving their attack mechanisms, and attaining greater levels of sophistication. Businesses in turn must double down on their efforts to address cyber risk at the leadership level as they pursue digital transformation. And to quote Desiderius Erasmus, “prevention is better than cure”. The role of board members in preventing cyber attacks is splendidly explained in the principles for board governance of cyber risk, which is the result of collaboration between the World Economic Forum, National Association of Corporate Directors (NACD), Internet Security Alliance ( ISA) and a working group of industry professionals, supported by project adviser PwC. In summary, to achieve a cyber-resilient organization that drives strategic business goals, the board must: The following section will explore board actions that enforce these principles. Contrary to what most may think, board members have a crucial role in leading cybersecurity in the organization. The following are ways a board member can contribute: According to the NACD, sixty-six percent of companies scheduled cyber risk at least once on their board agenda during the last year. As a new board member, you can differentiate yourself by being a champion of cybersecurity and ensuring it is and stays a discussion topic at every meeting.Understand the consequences of a cyber breach and plan accordingly Boards must understand that good luck is not a strategy when it comes to cybersecurity and their organizations must plan for an eventual cyber breach. To this end, it is the board’s responsibility to ensure that the organization has a robust cybersecurity Incident Response Plan (IRP) that has a well thought out, tabletop exercises performed by in independent unbiased external party and rehearsed business continuity process that is known by all relevant parties in the organization. This plan will mitigate the financial impact of an attack and ensure the business is able to continue to serve its stakeholders effectively and with minimal downtime. This point relates to our earlier emphasis of cybersecurity being a business problem, not a technical problem. In this regard, board members must have a high-level understanding of the businesses cybersecurity strategy to ensure that it addresses key business risk areas such as compliance (e.g. Payment Card Industry Data Security Standards – PCI-DSS), reporting requirements (e.g., SEC reporting), data assurance, liability, governance, availability etc. Furthermore, it is vital that the board foster cybersecurity as part of its corporate culture, starting at the highest levels with mandatory executive industry specific cybersecurity education and threat briefings. According to NACD data, board refreshments in the past year continue to neglect members with skills in cybersecurity (less than 2%) in favor of members with experience in executive leadership (60%) and finance (40%). It is time for new and existing board members to prioritize having a cybersecurity expert in their ranks and ensure the right cybersecurity leaders exist in their organization. Having highly qualified cybersecurity leaders with strong technical and business backgrounds as well as the ability to quickly build relationships with senior business leaders is invaluable for companies to make the connection between business risk and cybersecurity risk in the organization. It is crucial for board members to understand that governments are increasingly getting involved in cybersecurity and organizations must make it an integral part of the business’s compliance strategy. In industries like healthcare, government, and finance strict privacy and data protection standards such as the HIPAA, the Homeland Security Act, NIST 800-53, ISO 27001, GDPR etc. have existed for a while. And as reported in Stuart Madnick’ HBR article governments feel the need to do something, and we can look forward to a suite of new regulations and enforcement activities. The board must understand what is expected of them in the event of a cyber attack. To fully grasp this it is important to perform tabletop exercises regularly to educate and prepare board members for their responsibilities and roles during a cyber incident. Asking the right questions and ensuring the organization’s most critical and high value assets are protected at a level commensurate with their criticality. This sometimes involves engaging the services of an external party who reports directly to the board to provide an independent assessment in the spirit of trust but verify. Is your organization spending enough on cybersecurity considering its size and industry? This can be done by looking at the value of the organization’s critical assets, cost to replace/recover from a disaster and benchmarking that against what other firms of similar size and sophistication are doing. The end goal is to achieve the right balance between spending and level of security that is consistent with the business’s risk appetite. Understanding your organizations exposure to cyber risk from suppliers, vendors, and business partners. Asking if it is time to audit all third parties to understand what sensitive information is shared, review their contracts to ensure cybersecurity requirements are baked in (especially with legacy vendors) and what level of access these third parties have to your data warehouses? New board members have a unique opportunity to champion cybersecurity and use their lack of board tenure to ask the right questions about cybersecurity early on. As cybersecurity continues to gain prominence at all levels of business, it is imperative that boards stay engaged and understand the risks lack of adequate cybersecurity poses to their business operations and the unique role only the board can play in making sure their organization has the right cyber governance and strategy in place.
What is cybersecurity & why is it important?
Ways cyberattacks can impact businesses.
What is the role of board members regarding cybersecurity?
How can board members lead the way in cybersecurity?
Include cybersecurity on the board meeting agenda:
Understand the consequences of a cyber breach and plan accordingly
Ensure that the cybersecurity program aligns with strategic business objectives.
Address the fact that board members lack a cybersecurity background
Understand that cybersecurity and compliance go hand in hand
Understand the roles of the board in the event of an incident
Assess whether business Critical and High-Value Assets (HVA) are adequately protected against cyberattacks
Consider whether the spending allocated to cybersecurity is adequate
Understanding cyber risk exposure from vendors/third parties
Final thoughts