Five Principles for Stronger Board Oversight of Cybersecurity
One of the most important jobs of the board is to challenge management and test their assumptions about strategy, the competitive environment, and associated risks and opportunities. Many directors would say that they are most passionate about this part of their role, and in today’s business environment it has never been more critical. Cybersecurity is a common theme in such discussions, because it’s a significant enterprise-wide risk and strategy issue that affects all organizations.
Just by reading the news headlines, it’s clear that cyber risks can have an impact well beyond technology—they affect new business plans and product/service offerings, mergers and acquisitions, supply chain and purchasing decisions, and major capital investment decisions such as facility expansions and upgrades, R&D processes, HR policies and more. As a result, cybersecurity has moved out of the IT silo and sits front and center on boardroom agendas.
Yet 97 percent of respondents to NACD’s most recent survey of board members still find cyber-risk oversight challenging (about 60 percent say it is “somewhat or very” challenging), and only 14 percent of directors believe their board has a high level of knowledge about cyber risks.
To help directors make headway on this critical issue, NACD and the Internet Security Alliance recently released an updated edition of the Director’s Handbook on Cyber-Risk Oversight. It is built around five core principles that apply to boards of organizations in all sizes and sectors:
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
- Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Board-management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
The five principles help directors to establish processes that support high-quality dialogue on cybersecurity matters. Key takeaways include:
- Understand the specific cyber threats that are most material to the organization. Ask questions such as: What are our organization’s most critical data assets? Where are they located? Who has access? How are they protected? From there, the board can work with management to determine the level of cyber risk the organization is willing to accept in the course of its operations, and how cybersecurity resources and investments will be allocated.
- Stay informed by internal and external counsel about the changing legal and regulatory landscape, including industry-specific rules and requirements, as well as those that are applicable at the state/region, national, and international levels.
- Set clear expectations about the format, content, and level of detail of the cybersecurity information management provides to the full board and to key committees.
- Bring additional expert perspectives on cybersecurity into the boardroom by scheduling deep-dive briefings with third-party experts, leaders from government agencies and law enforcement, and/or by leveraging the board’s existing independent advisors.
- Individual directors can take advantage of opportunities to enhance their own cybersecurity awareness and knowledge by participating in relevant director education programs.
For some companies in select industries, cyber expertise on the board may indeed be the right decision. NACD believes that responsibility for board composition and director recruitment belongs with the nominating and governance committee: The group that is specifically charged with filling current and future skill requirements on the board. They have the best firsthand knowledge about what the board needs, and are in communication with the company’s investors to hear their perspectives.
But directors don’t need to be technologists or cyber experts to play an effective role in cyber-risk oversight. Like any other significant business risk, cyber-risk oversight requires directors to have a thorough understanding of the company’s business model, experience in strategy and leadership, sound business judgment, and the ability to constructively challenge management—in other words, the fundamental elements of high-quality board leadership. And improving the effectiveness of cyber-risk oversight practices can and should be part of every board’s continuous improvement activities.