In the 2024 What Directors Think Survey developed in collaboration with Corporate Board Member, BDO and Diligent Institute, AI and cybersecurity emerged as two of the most challenging areas for directors to oversee, at 36 percent and 35 percent, respectively. As board members maintain a neutral outlook on the U.S. business environment, these two areas have grown in importance for short- and long-term success.
New AI risks underscore the need for increased oversight
Technologies like generative AI have the potential to transform the way we work, and many boards are wary of the organizational readiness gap. Without proper governance over the implementation and use of AI, organizations may inadvertently expose themselves to new risks.
Shareholders hold a similar concern, according to the What Directors Think Survey. When asked about issues that are top of mind, a majority of directors (88 percent) noted increasing shareholder inquiries related to AI and generative AI developments.
According to BDO’s 2024 CFO Outlook Survey, finance leaders view AI as a tool that can help improve compliance and reporting, safety monitoring, pricing decisions, customer service, contract management, back-office automation, field services and more. However, information security remains a concern, with CFOs noting, for example, that there is still doubt about how open-source AI platforms and large language models (LLMs) use and store data. The potential benefits of AI tools must be weighed against the need and ability to protect sensitive information.
What do these concerns mean for businesses? As companies embed AI into their operations, leaders must continue to anticipate, monitor and respond to evolving risks. This means maintaining proper governance and ethical use policies and procedures and arming current and future employees with appropriate AI skills and continuing education. Boards need to understand how management prioritizes risks and mitigates potential bias in data sets or use of flawed algorithms.
As AI, particularly generative AI, is rapidly becoming part of day-to-day business operations, nearly half (49 percent) of organizations are diving head-first into establishing AI policies (2024 CFO Outlook Survey). Furthermore, 39 percent are building in-house solutions to safeguard sensitive client information and proprietary data and tailor tools to meet their needs.
Responding to new regulations: SEC raises cybersecurity requirements
As if the current threats of a cyber incident impacting the business weren’t enough, companies have a new angle of cyber risk exposure in the form of increased disclosure and incident reporting regulation. The recently effective SEC cybersecurity disclosure rules have added annual reporting requirements, mandating publicly listed companies to disclose their risk management, strategy and governance processes along with time-sensitive requirements to report material cyber incidents to the public. These rules necessitate public companies, and the “third parties” in their supply chains, to examine how their organizations are managing cyber exposures and, as importantly, how their boards are overseeing the process.
In general, boards do not appear to be overly confident in their ability to oversee the management of cyber risk nor the management team’s ability to effectively manage cybersecurity. For example, when asked how prepared their board and management teams were to comply with the SEC’s new rules on cyber risk disclosure, directors only rated their boards’ preparedness a 6.75 out of 10, and management’s a 7.28 out of 10, according to the What Directors Think Survey.
In the event of an identified cyberattack, companies must quickly determine whether the incident may have a material impact on the organization. This can be challenging, as cyber incidents can take many forms, affect many systems, and go undetected for long periods of time. To make such a determination on a timely basis, the board and management team need to have an evaluation process that considers both qualitative and quantitative factors in assessing materiality. To mitigate the damage from a cyberattack, the board and management team should have an up-to-date incident response (IR) plan to guide the company into action as soon as a cyber incident is suspected—one that takes into account the SEC’s new four-day reporting time frame for cyber incidents determined to be material. The IR plan must also include an established reporting and communication process that allows the company to comply with other relevant legal statutes at the local, federal and international levels.
To comply with the management and board oversight of cybersecurity risk management disclosures under the new SEC rules, current policies, procedures and protocols need to be reviewed to determine whether they need adjusting. This should also include a broader assessment as to whether what will be disclosed aligns with other governance documents, such as the company’s proxy statements, board committee charters and other public and internal documents that discuss the company’s data and cybersecurity protocols. This may identify further needs to increase education and foster collaboration between directors and executive leadership.
Breaches occur most often from human error (e.g., when employees fall for phishing schemes) as well as from exposure through third parties, so all stakeholders need to understand their role in strengthening and protecting a business’ cybersecurity measures. Board members should empower leaders to not only invest in employee and stakeholder training but also encourage cross-team collaboration so businesses can mitigate exposure and respond quickly and effectively in the event of a cyber incident.
Shifting from reactive to proactive: What boards need to know
Digitization, including leveraging advanced technologies like AI, presents numerous opportunities to enhance business operations, but organizations must have functional and foundational data and usage protections, oversight and company-specific cybersecurity programs in place. To strengthen oversight in these areas, boards should structure their meeting agendas to prioritize material risk, stress test company cyber IR programs and governance oversight and emphasize the importance of creating a culture of ethical technology use. Continuing education on the changing risk landscape for all employees, including directors, should also be considered.
Governance structures must include protection and enforcement mechanisms, training and efforts to strengthen the control environment to address new and emerging risks. As part of this, boards should maintain regular collaboration with management, IT, internal audit, legal and other relevant professionals both internal and external to the organization including advisors and law enforcement agencies, as appropriate. To protect company stakeholders from AI and cyber risk, boards should establish accountability mechanisms and confirm that management teams are routinely monitoring and updating their data and cybersecurity programs.
