Risk Oversight

Cyber Awareness to Cyber Expertise: The Evolution of Board Cyber Risk Management

2015 marked an important year for cybersecurity in the boardroom. Cognizant of the increasing business and legal risks that cyber threats pose to their companies, Boards developed a much greater awareness of their companies’ cybersecurity practices, relying on a mix of input from senior management, CIOs, CISOs, internal auditors, outside consultants and counsel—each bringing a different perspective on the risks facing the company. 2016 may reflect a further shift for Boards, from cyber awareness to cyber expertise.

Senate Bill Would Require Disclosure of Boards’ Expertise in Cybersecurity

In testament to this trend, on December 17, 2015, Senators Jack Reed (D-RI) and Susan Collins (R-ME) introduced the Cybersecurity Disclosure Act of 2015, which would require public companies to disclose the cybersecurity expertise of their Boards for the first time. The purpose of the bill is to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.” According to the press release, the bill encourages companies to strengthen and prioritize cybersecurity in light of recent data breaches that have exposed the personal information of millions of customers.

Specifically, the bill would require public companies to disclose whether any member of the Board has expertise or experience in cybersecurity and describe the nature of this expertise in their annual reports or proxy statements. The SEC would have the authority to issue relevant regulations and define what constitutes cybersecurity expertise and experience in coordination with the National Institute of Standards and Technology, including the requisite professional qualifications to administer information security programs or any experience detecting, preventing, mitigating, or addressing cybersecurity threats.

If no member of the Board has cybersecurity expertise or experience, the public company must describe what other cybersecurity steps it took into account when identifying and evaluating nominees to the Board. The press release clarifies that this provision requires companies to explain “why having this expertise on the Board of Directors is not necessary because of other cybersecurity steps taken by the publicly traded company.” The bill does not penalize a company for lacking a Board member with cybersecurity expertise. Instead, it only requires a company to make this disclosure so that investors and customers have a better understanding of a company’s cybersecurity practices or lack thereof.

Director Specialization

Good governance is a prerequisite to effective cybersecurity. But cybersecurity is a complex and fast-evolving risk mitigation practice that may be beyond the skillset of even experienced Directors. It requires a fundamental understanding of how cyber threats correlate to critical business and legal risks, and strategic leadership for managing those risks and preparing for potential cyber incidents.

A big part of that challenge is finding common ground—and a common language—that can facilitate productive interactions between technically-steeped information security personnel, legally-oriented GCs, and business-driven executives and Boards. Directors will be increasingly expected to process all the information conveyed through risk dashboards, cybersecurity frameworks and risk assessments, and respond with competent oversight and input.

The call for expertise at the Board level will increasingly be served by Directors with assigned responsibility for cyber issues. These Directors would need to educate themselves, or come with suitable backgrounds, to serve as the Board’s qualified delegate for effective oversight of cybersecurity.

Looking Ahead to 2016

Understanding cyber risks in the Boardroom is not about absorbing all the nuanced technical details that keep IT busy—it is about recognizing and appreciating the fundamental business and legal risks that stem from technical threats and vulnerabilities.

On the business side, the risks vary widely and require different strategic approaches. Companies need different tactics to deal with the potential for theft of consumer data by foreign hackers, insider theft of proprietary trading algorithms, or a state-backed intrusion into industrial control systems and critical infrastructure. One size does not fit all. These and other threats present different risks to business operations, reputation, and financial performance, which are the driving forces behind risk mitigation and resource allocation.

Boards and senior management are also increasingly concerned with meeting the expectations of their regulators, and implementing practices that do not overextend available resources while passing muster not only with existing regulations, but also anticipated rulemaking and the rules of influential regulators such as the SEC and FTC. This requires a close look at organizations’ cybersecurity governance and practices in the event of a cyber incident and the type of exposures most likely to trigger regulatory scrutiny.

2016 will be an exciting time for Boards as they evolve from simple cyber awareness to cyber expertise. Stay tuned for further updates.