Written by: John Nish
As the world continues to rely on digital operations, cybersecurity remains an overwhelming concern—affecting how companies strategize, function, and grow. Cyber-risk is ever-evolving, and can cause financial and reputational damage if not adequately managed.
Recently, the National Association of Corporate Directors (NACD) released its 2020 Director’s Handbook on Cyber-Risk Oversight to assist board members in defining their cybersecurity responsibilities and executing effective oversight strategies. The guidance is intended to aid boards of public companies, private companies, and nonprofit organizations across all industries in their cybersecurity endeavors, providing timely advice and proven strategies to mitigate cyber-risk. It outlines five key principles:
- Cybersecurity as a Strategic Risk: Directors need to understand and approach cybersecurity as a strategic, enterprise risk—not just an IT risk
- Legal and Disclosure Implications: Directors should understand the legal implications of cyber-risks as they relate to their company’s specific circumstances
- Board Oversight Structure and Access to Expertise: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas
- An Enterprise Framework for Managing Cyber-Risk: Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget
- Cybersecurity Measurement and Reporting: Board-management discussions about cyber-risk should include identification and quantification of financial exposure to cyber-risks and which risks to accept, mitigate, or transfer (such as through insurance), as well as specific plans associated with each approach
These principles reflect a focus on higher-level enterprise risk management that’s appropriate for board attention, while recognizing that detail-level cybersecurity functions are implicit in the measurement and control of these risks. The 2020 version of the Cyber-Risk Oversight Handbook gives new guidance for each of the five principles, and includes an extensive toolkit to help boards adopt and operationalize the principles.
In this article, we’ve summarized the most important facts and recommendations from the Handbook.
Cybersecurity As a Strategic Risk
Historically, companies have categorized information security as a technical issue and assigned responsibility to the IT department (or another technology-focused department). But IT shouldn’t be solely responsible for the critical analysis and communication of security issues that affect the larger business. This led to a disconnect between executive and board members of organizations and the security of their own data. It’s important for organizational leaders to put time and effort into understanding their potential cyber-risk, and allocate a budget to mitigate it.
As companies of all shapes and sizes now look to digital innovation as a key element of their strategic plans, a certain level of risk must be accepted. This risk isn’t limited to strictly technical vulnerabilities, but also encompasses third-party risk, reputation risk, availability risk, and any additional potential impacts to the business. Directors must understand these risks and carefully balance them against the strategic imperative of driving digital innovation.
Baseline Questions Boards Can Ask About Cybersecurity
- Are we considering the cybersecurity aspects of our major business decisions—such as M&A, partnerships, and new product launches—in a timely fashion?
- What do we consider to be our most valuable assets? How does our IT system interact with those assets? What would it take to feel confident that those assets were protected?
- What are our company’s most critical data assets? Where do they reside? Are they located on one or multiple systems? How are they accessed? Who has permission to access them?
- How often have we tested our systems to make sure they’re adequately protecting our data?
Legal and Disclosure Implications
The legal and regulatory requirements regarding cybersecurity are always changing. It’s critical that boards stay aware of the many potential liability issues their organizations may face. The federal government and its regulatory agencies are continually increasing their compliance requirements, while every state has varied and disconnected requirements of their own. Boards must understand whether their compliance program is effective in meeting changing requirements, reporting responsibilities, and related obligations.
In addition to the direct regulatory exposure, a successful cyberattack can spawn lawsuits that accuse the organization of poor management, waste of corporate assets, and abuse of control. Appropriate oversight will help protect the board from accusations of negligence.
Cyberattacks and breaches are often considered a matter of “when” and not “if.” Ensure that you have a well-defined and tested Incident Response Plan that includes not only detection, containment, and eradication of the incident itself, but also disclosure procedures in line with all applicable requirements.
Public Disclosures and Reporting
Companies may be subject to a range of disclosure obligations regarding cybersecurity risks and cyber incidents, including:
- Industry-specific regulations from the U.S. Securities and Exchange Commission (SEC), Federal Trade Commission, and other agencies that affect sectors such as retail, healthcare, banking and insurance, chemicals, telecommunications, broker-dealers and registered investment firms, utilities, critical infrastructure, and requirements for government contractors or organizations who hold government data, such as:
- Gramm–Leach–Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Family Educational Rights and Privacy Act (FERPA)
- Federal Information Security Management Act (FISMA)
- State-level information security and data breach notification laws, such as:
- New York State Department of Financial Services (NYSDFS) Cybersecurity Regulation
- California Consumer Privacy Act (CCPA)
- Global regulations, including regional, international, and country-specific laws and standards, including:
- European Union General Data Protection Regulation (GDPR)
SEC Disclosure Guidance
In 2018, the SEC issued interpretative guidance that outlines requirements for publicly traded companies to disclose any material incidents and cybersecurity risks. The guidance focuses on:
- Pre-incident disclosure
- Board oversight
- Incident disclosure
- Controls and procedures
- Insider trading
Board Oversight Structure and Access to Expertise
Over time, boards have become more involved in overseeing cybersecurity and requiring information from management. Compared to the past, boards are now much more involved and want to continue being involved. Communication between the boards and cybersecurity management is critical.
The handbook suggests ways to build better relationships with the security team and the Chief Information Security Officer (CISO), and methods to better engage management regarding cyber-risk, including:
- Understanding the CISO’s role and mandate
- Assessing how the CISO collaborates with other departments
- Including cybersecurity not only as a standalone item in the board agenda, but as an integral component of a wide range of strategies and discussion topics
- Hearing reports from management on the overall maturity of the information security program, cyber incident preparedness and reports, and regulatory compliance
Boards should consider augmenting their in-house expertise by using methods to integrate independent expert assessments, such as:
- Scheduling deep-dive briefings and third-party experts to validate whether the cybersecurity program is meeting expectations
- Leveraging the boards existing independent advisors, such as external auditors and outside counsel
- Actively participating in director education programs, and incorporating a “report back” strategy so directors can share their takeaways from outside programs to the board
- Including a cyber expert on the board committee (depending on the specific needs and composition of your board)
An Enterprise Framework For Managing Cyber-Risk
Directors should expect that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budgeting. In order for the boards to have proper and effective oversight, they must fully understand the responsibilities that management has in addressing the organization’s cybersecurity. Boards should assess management to see if they’ve established both an enterprise-wide technical framework and a framework for governance of cyber-risk. When businesses have an integrated approach to risk, it allows them to address cybersecurity risk across the entire enterprise more effectively. Suggested technical frameworks include:
- National Institute of Standards and Technology (NIST) cybersecurity framework
- International Organization for Standardization (ISO) 27001
- Center for Internet Security (CIS) Critical Security Controls (CSC)
- Payment Card Industry Data Security Standards (PCI DSS)
The handbook also describes two models for enterprise risk management: the “Multistakeholder Model” which was developed by the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI), and the “Three Lines of Defense” model.
The model advocates for an identified cyber-risk leader who isn’t from IT and who has broad, cross-organizational authority. The Framework is made up of seven steps:
- Establish ownership of cyber-risk on a cross-departmental basis; someone like a CFO or COO should lead the team
- Appoint a cross-organization cyber-risk management team
- Perform a forward-looking, enterprise-wide risk assessment using a systematic framework that accounts for the complexity of cyber-risk—including, but not limited to, regulatory compliance
- Be aware that cybersecurity regulation differs significantly across jurisdictions
- Take a collaborative approach to developing reports to the board
- Develop and adopt an organization-wide cyber-risk management plan and internal communications strategy across all departments and business units
- Develop and adopt a comprehensive cyber-risk budget with sufficient resources to meet the organization’s needs and risk appetite
Three Lines of Defense Model
The familiar Three Lines of Defense Model has become nearly ubiquitous over the past decade. It focuses on multiple independent risk owners within a company, with increasing roles in developing and overseeing cybersecurity management.
- Line 1: Operates the business, owns the risk designs, and implements risk management
- Line 2: Defines policy statements and defines the risk management framework
- Line 3: Commonly, internal audit is responsible for independent evaluation of the first and second lines
Measurement and Reporting
Board-management discussions should involve specific plans regarding identification and quantification of financial exposure to cyber-risks, as well as decisions to accept, mitigate, or transfer risk. While cyber-risk assessments solely expressed as critical, high, and medium do provide a measure of risk, they don’t effectively compare cyber-risk with other kinds of risks faced by the organization.
An important question to ask is: How can you compare high cyber-risk to a high financial risk? Quantitative assessments are critical for boards to make informed decisions. These assessments consider the impact, likelihood, velocity, duration, and interdependency of risks.
Understanding Cybersecurity Economics
When determining the degree of an organization’s financial exposure to cyber-risk, organizations can better determine where to focus their resources on specific cybersecurity investments to address the greatest and most impactful risks. Some important questions boards should ask are:
- What data (and how much data) are we willing to hold, lose, share, or have compromised as a practical business matter?
- How should cyber-risk mitigation investments be allocated among basic and advanced defenses?
- What options are available to assist us in mitigating certain cyber-risks?
- How should the impact of cybersecurity incidents be assessed?
Early Methods for Economically Assessing Cyber-Risk
Systematic methods are used by management and help determine their exposure to cyber-risk. Sophisticated assessments can be expressed to the board in a manner which enables directors, alongside management, to determine the organization’s risk appetite and proper allocation of resources. Some steps for cyber-risk assessment and management may include:
- Seeking the best data available to make assessments of possible attack scenarios
- Focusing on scenarios that are probable and would yield an expected loss significant enough to affect the business
- Calculating the best case, worst case, and most likely case of an attack and identifying what degree of loss is acceptable (risk appetite)
- Determining the investment required to mitigate or transfer risk to an acceptable level
- Running multiple scenarios, using methods such as Monte Carlo simulations, to more accurately define risk and mitigation costs of various scenarios
Boards need to continue assessing their effectiveness in addressing cybersecurity in their own fiduciary responsibilities, as well as their oversight of management’s activities. Throughout the NACD handbook, there is a clear theme that cyber-risk is not a matter to be siloed within the IT department. Rather, cyber-risk is an integral part of organizational risk, critical to your organizational strategies. Responsibility and accountability must sit at the appropriate levels. The five principles discussed in the handbook, along with the accompanying toolkit, offer a helpful blueprint and guidance for boards.