A person prepares to work on a protective cybersecurity system at the International Cybersecurity Forum in France. The boardroom's responsibility around cyber risk is growing.
Photo: Philippe Huguen/AFP/Getty Images
Few events pose more sudden and systemic risks to corporate leadership than a significant cyber event. And the threat is only growing.
If reputations are gained by the teaspoon and lost by the gallon, cyber is exponentially more threatening. The onus of managing risk in every corporation ultimately falls on the CEO and the board of directors. Effective CEOs, therefore, are thoroughly plugged into cybersecurity operations, those systems and procedures that, in today’s lexicon, are aimed at mitigating the risk of company communications being disrupted.
I know from conversations with CEOs and general counsels across the country that their biggest fear—besides being impugned on social media—is having their cyber systems hacked, their “state secrets” exposed and exploited, or worse yet, their external and internal communications operations dismantled or gutted. When you can’t tell the world you’ve been hacked because your email system is completely down, you’re in trouble.
Corporate Compliance Complicates Cybersecurity
Many board members don’t live in the world of disrupted communications, cyber ambushes, NGO assaults, blowups on Twitter, and the like. So, what’s the appropriate role for board members when it comes to these issues? The board’s responsibility revolves around recognizing risk—and ensuring that the company is taking appropriate action and installing sufficient backup systems to minimize that risk.
GDPR is a classic example: Hundreds, if not thousands of American corporations are operating under the mistaken impression that they don’t have to comply with the EU’s new privacy regulations. Yet if companies depend on the creation or processing of data (and these days, what company doesn’t?), there’s a strong chance that they’ll be subject to GDPR and the ongoing efforts of the EU and other government entities around the world to crack down on hacking and privacy violations.
Under GDPR, every data-driven company must appoint a designated data protection officer. Data protection best practices, moreover, now point to the creation of a board-level cyber risk committee, as well as toward the assurance of personal employee-level cybersecurity discipline among board officers themselves, since they’re often the target of phishing. Finally, board members in the U.S. should keep in mind that the U.S. Cybersecurity Disclosure Act of 2017 requires board-level cybersecurity expertise.
The “European model” for anti-hacking and privacy protection is the way the world is going. Smart companies and board members need to stay a step ahead.
How can companies keep their board members attuned to the risks inherent in disruptive communications?
How Can Companies Stay Ahead?
Former Department of Homeland Security Secretary Tom Ridge, now chair of Ridge Global Cybersecurity Institute, argues that protecting against cyber incidents is everyone’s responsibility, from the people in the boardroom to entry-level employees. “Board members who are not as experienced with cybersecurity need to see it at the forefront of financial risks that could impact their bottom line,” says Mr. Ridge. “We need to have more information-sharing and more conversations about cyber risk at the board level, and not just within companies’ IT departments.”
How can companies keep their board members attuned to the risks inherent in disruptive communications without intimidating or depressing them?
The answers aren’t easy, but there are constructive steps that perceptive companies can take to keep board members plugged in.
First and foremost is to provide board members with a steady diet of articles and expert commentaries on the changing cyber climate. Don’t saddle them every other day with a 100-page treatise on the latest cyber-hack nightmare. That will turn them off. Instead, email or text them quick and easily digestible news summaries and samples of how a nasty hack was averted—or, on the flip side, how company X was hurt by a sluggish response to a cybercrime.
When a respected business outlet runs a story about the dangers inherent in disrupted communications, make sure your board members see it—with key passages highlighted. That way they’ll be less shocked if and when the hazards hit you. And perhaps they’ll be more inclined to help you undertake preventive measures now, during peacetime, and not wait until it’s too late.
Second, consider adding board members to internal task forces on your areas of greatest vulnerability. They’ll see firsthand how seriously risk management is being handled by the company. And they’ll develop a greater appreciation for how rugged the real world of disrupted communications can be these days.
Third, show your board members the efforts you’re making to strike down the silos. When a disrupted communications crisis hits, you’re going to need everyone on board right away: from the general counsel’s office and public affairs to the folks in information technology and human resources. If they haven’t worked together in a crisis environment—even a simulated one—it could lead to a lack of trust and backbiting.
Managing risk these days is managing disrupted communications—and the way-too-easily-disrupted world that comes with it.
