Businesses of all sizes and from almost all industries are exposed to potential cyber-attacks. High-profile cyber-attacks in recent years have triggered enhanced scrutiny of the BOD’s readiness to tackle imminent attacks. The boardroom is now under the watchful eyes of regulatory authorities, shareholders, and customers. Even though the significance of cybersecurity at the Board level is discernible in most companies, it is often challenging to transform that awareness into practical steps that can be implemented.
There is general anxiety in the boardroom when it comes to the readiness to cope with a major cybersecurity incident. The National Association of Corporate Directors (NACD) said in its report that about 89 percent of public corporation directors discuss the topic of cybersecurity frequently in their meetings, but only less than 40 percent are confident that their companies are safe from possible cyber attacks.
There is no doubt that maintaining the right balance of profitability and growth with the security of corporate data in a highly competitive atmosphere can be a challenging task. Below, I have provided some guiding principles for the BOD to put effective cybersecurity oversights in place in such an environment. These principles are based on the NACD findings.
Guiding Principles
The board of directors can adopt and tailor these principles to their unique requirements, such as company size, strategies, business operations, industry, and geographic footmark.
Principle 1: Hold Board Level Cybersecurity Meetings
Some companies hold cybersecurity meetings at the board level, whereas others assign the matter to committees like the technology, audit, and risk committee. The board of directors, in any case, must be updated about the cybersecurity matters at least twice a year and when certain events and circumstances necessitate.
While putting cybersecurity as an individual item on the meeting agenda is now a norm, the matter must also be discussed during full-board meetings that involve:
- Merger and acquisition
- Business plan and product development
- Acquisition and deployment of new technologies
- Development of new procedures
- Capital investment decisions like business expansion and technology up-gradation
Principle 2: Understand the Legal Repercussions of a Cybersecurity Event
The legal and regulatory environment surrounding cybersecurity is continuously changing. Board of directors must keep up with the new regulatory requirements for their companies. And they should know what legal implications their organizations may face in case of a cybersecurity incident.
Public corporations are obliged to make public cybersecurity incidents and risks that their organizations have faced or are facing. The boardroom should take into account the following factors:
- The frequency of earlier cyber attacks
- The severity of the cyber incidents
- The likely costs and consequences that a cyber incident can cause
- The effectiveness of the preventive actions taken in the past
Principle 3: Have Easy Access to Cybersecurity Professionals
To help the BOD get a high-level cybersecurity understanding, organizations should:
- Arrange expert level briefings and get cybersecurity assessments done
- Involve third-party, cybersecurity professionals in the briefings and assessments
- Get cybersecurity insights and recommendations from the boardroom’s current advisors who have expertise in and industry-wide outlook on cyber risk evolutions
- Support and organize educational programs for the BOD on cybersecurity and risk management
Principle 4: Comprehensive Cyber-Risk Management Structure
The board of directors must establish a clear and well-defined expectation that the management will put in place a company-wide cyber-risk management structure. While there isn’t a standard method for doing this, you may consider starting with the Cybersecurity Framework developed by the National Institute of Standards and Technology (“NIST”). You can use this elementary structure as a footing and then drape it with your industry-specific requirements. Establishing your expectations for the management alone is not sufficient. The BOD must also allocate human, financial and technological resources to the management for the development and implementation of the cybersecurity framework.
Conclusion
The cybersecurity incidents that shock the world during the last five years and the evolving legal and regulatory environment imply that for the board of directors, just being aware of cyber risks is not enough. Governments, customers, regulatory authorities, and shareholders now want the boardroom to be involved in continuously enhancing the cybersecurity of their organizations. Board of directors should constantly assess the capacity of their companies to cope with cybersecurity incidents. Even though each company will come up with a cyber risk management strategy that suits their needs, the principles that I have outlined above can help you make a good start.