It’s not surprising that over a third of U.S. company boards discuss cyber threats to their companies at every meeting. The discussion is driven by the increase and nature of high-profile data breaches, distributed denial of services (DDoS) attacks, and rising ransomware and cyber extortion attacks. The annual economic cost of cyber breaches is estimated to run to $1.5 trillion, according to Marsh & Mclennan’s Cyber Risk Center. The concern over such breaches is understandable given the virulence of such attacks in recent months. The so-called cyberworm WannaCry, for example, attacked Microsoft systems, infecting 200,000 computers overnight, hitting 150 countries and affecting much of Britain’s National Healthcare System. Other ransomware attacks, such as Petya, NotPetya and BadRabbit, have been in the headlines even before, and even more destructive variants became frontline weapons for state actors.
Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of this growing problem. Industries such as financial services, telecommunications and utilities, are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity. Government and regulatory agencies around the world have tightened requirements for breach notification. In addition to Brussels’ new EU-wide regulations, China’s new Cyber Security Law, and Australia’s Privacy Amendment are pushing cyber onto board agendas. Last February the SEC provided interpretative guidance to help public companies in preparing disclosures about cyber risks and incidents.
According to a report by Marsh and McLennan conducted in partnership with Women Corporate Directors, a New York based directors group, board directors are expressing frustration with the challenges posed by cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41 percent of respondents said their board had at least one director with cyber expertise, with an additional 7 percent who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.
“most boards have only one individual serving as the ‘tech’ or ‘cyber’ person.”
Catherine Allen, a former financial executive at Citicorp is a board director at Synovus Financial, El Paso Electric, both public companies and is a director with Analytics Pros. Although not an expert on cyber herself she has become the ‘digital director” on the boards she serves and chairs the risk and security committee on El Paso Electric which conducts “table top” exercises that rehearse how breaches might occur and the countermeasures both management and the board undertake. Oftentimes the board will have outside advisors such as Verizon or Deloitte that measures responses and provides metric on how well the board performs on such mock drills. “On all my boards we’ve become highly focused on this risk,” she says. Allen reports that her companies have been hit with small breaches that were contained, but no major threat was experienced in her companies. She is a big believer in having experts on one’s board who can alert fellow directors on what to look for and questions to ask management. “It’s important because today the threats are complex and the technology moves too quickly.”
Marsh & McLennan’s Global Risk Center interviewed WCD corporate directors to identify how companies are addressing cyber threats and the use of cyber insurance. “As the global regulatory landscape becomes more complex, cyber security is gaining increased board level attention,” said Elisabeth Case, U.S. Cyber Advisory Leader, Marsh, a subsidiary of Marsh & McLennan Companies. “Boards are definitely stepping up their oversight.”
Despite this, the report found that directors are still concerned by factors that they believe put their companies at greater risk:
- Few experts serve on boards– Most boards have only one director serving as the tech or cyber expert; few directors “grew up digital,” and they now have to play catch-up to the sophisticated technology used in attacks.
- Lack of benchmarking on security practices– Companies are unclear on how they stack up against their peers, leaving a lot of unanswered questions about best practices, business models, and geographies.
- Unknown risks around third-party providers– One third of organizations do not assess cyber risk of their suppliers and vendors, leaving mission-critical data exposed and beyond the company’s control.
- Inadequate transparency from management– Management often paints a rosier picture than reality, leaving directors in the dark about risks, and rendering them unable to sufficiently support risk mitigation efforts.
This misalignment within the C-suite is creating undue risk exposure and leaving organizations ill-prepared to stop the majority of breaches because their security strategies and investments are not aligned to combat the primary threats they are facing.
To increase board awareness of company risk, the report provides “10 Questions to Ask Management about Your Organization’s Cyber Readiness.” Some questions include:
- Where do we rank in cyber preparedness compared to relevant peers, and how frequently does management perform cyber scenario testing/war games? How do we benchmark our performance?
- Which managers across the organization have accountabilities for cyber risks within IT, business lines, and other operational areas?
- What are the limits of liability of cyber insurance that we have available, and how can we determine if coverage is sufficient?
“Those who think the issue can be safely handled by the audit committee are mistaken,” Allen adds. “and it is not just money and data that attackers are after. Sometimes the hackers are after business model information that, if exploited, can cripple one’s operations. Every director needs to get himself or herself up to speed as best they can. The trend for boards is to get better at detection and to do this properly directors should use the tools for continuously testing how well your company’s systems are working.”