Until a crisis erupts, cybersecurity issues don’t get a lot of attention in many corporate boardrooms. The topic is often viewed as a box to be checked while directors devote their real focus to the business’s core financial numbers and goals.
Based on my experience interacting with a variety of boards on cybersecurity threats, I’d give them an overall C grade on their level of knowledge, preparedness and engagement. This typically means their participation in this topic is informational with a few probing questions. Boards should be more engaging and push the conversation deeper, as if the organization is going to face a major cyber incident next week.
If it wasn’t already clear, 2020 brought home the fact that cybersecurity breaches represent one of the biggest threats to companies and their reputations.
The Covid-19 pandemic helped trigger a triple-digit increase in malware, ransomware and other malicious activity. Attacks have become so common that only the most high-profile ones get much public attention.
At the same time, directors are under growing regulatory and legal pressure to live up to their oversight duty and ensure a company is well prepared for threats against its systems and data.
The Securities and Exchange Commission delivered a wake-up call to boards in 2018, making clear that it expects them to play a proactive role in staying informed about cybersecurity risks and in developing controls and procedures around them.
Boards that fail to take cybersecurity seriously (i.e. thorough due diligence on the risks and management’s risk mitigation measures) are increasingly doing so at their legal peril. Target shareholders sued the retailer’s directors and officers over the 2013 breach of more than 60 million customers’ data in an action that was ultimately dismissed.
In 2019, Yahoo agreed a $29 million settlement with shareholders over its high-profile data breaches, an outcome that legal experts viewed as an important precedent. The outcome has encouraged other class action lawsuits, including by Marriott’s shareholders over its massive data breach in 2018.
Board members, especially in certain industries, often don’t have a background in tech. But they don’t need to become IT experts to carry out their oversight responsibilities on cybersecurity.
The important thing is to move beyond a vague knowledge of the dangers to ensure they understand the key issues and trends in cybersecurity and how those could affect the company.
They then need to be asking the right questions to hold CEOs and CIOs accountable and to make sure the company has the right investments and processes in place to deal with the full spectrum of cybersecurity threats.
By adhering to the following six steps, board members can stay on top of cybersecurity risks and go a long way toward protecting their companies and themselves from the damaging impact of successful breaches.
1. Get regular training — at least annually — on cybersecurity trends, including the most common types of attack and the available solutions. The training should be provided by cybersecurity professionals that not only understand your organization but also cyber threats at industry and local levels.
2. Demand regular updates, ideally every quarter, on the state of the company’s cybersecurity, including the number and type of attempted attacks and how they were dealt with. Rather than a simple incident report when something goes wrong, boards should demand a dashboard that allows them to see the full picture of cyber risks and defenses.
3. Understand companies’ growing obligations and legal risks around data privacy arising from cross-border laws such as Europe’s GDPR and California’s CCPA.
4. See every cyberattack and incident categorized, including those that were prevented. Often, they are only informed about successful attacks, but the total number and type of attacks is just as important for understanding the overall risk level. Conduct a cybersecurity incident response table-top exercise with select board members observing management’s response to a sample threat scenario.
5. Require independent, third-party testing and verification of a company’s cybersecurity and controls.
6. Full documentation of cybersecurity discussions at the board level should be a requirement. This will provide the evidence of boards’ diligent oversight in the event of future litigation.
These steps form the basis for board members to be asking the smart, targeted questions around cybersecurity needed to hold executives accountable. These can be simple, non-technical questions aimed at getting a sense of the responsibilities and budget around cybersecurity, which can then trigger more focused follow up inquiries.
How many cybersecurity incidents did we have in the last quarter? Was there a breach? What kind of breach and did we lose any client data? What kind of cybersecurity insurance do we carry and is it enough? What is our budget for cybersecurity and should it be increasing in light of the heightened threat level?
If board members made it their job to ask deeper, probing questions on a regular basis, it would be an important step toward making their companies better prepared for attacks as well as protecting themselves legally should the worst-case scenario happen.