In the face of unrelenting pressure from major cybersecurity incidents and regulatory action to mitigate them, enterprises are assessing whether they are doing enough to address the situation. For example, public companies are evaluating responses to new U.S. Securities and Exchange Commission (SEC) rules calling for disclosures regarding cybersecurity strategy, risk management and governance practices. Recent SEC actions are setting off alarm bells throughout the cybersecurity community, causing chief information security officers to worry about personal liability and companies to reassess who to include in their directors and officers policies. Who will be next?
Cybersecurity incidents are unavoidable. However, in many recent high-profile cases, incidents have exposed governance/management weaknesses and disconnects between glowing boilerplate cybersecurity disclosure language and the actual substance of cybersecurity processes. Only after these incidents do companies go to great lengths to revamp their cybersecurity. Why not before? Can this be chalked up to a human tendency not to prepare for the future, or are there other reasons?
Bringing the challenge into perspective
SEC registrants will undoubtedly tighten up and expand their disclosure language now that new SEC disclosure rules have kicked in, but perhaps there are more fundamental problems. Boards can be overwhelmed by the complexity of cybersecurity and the vast array of detailed management presentations addressing compliance, heat maps, penetration testing and the like, and may struggle to understand their context. At the same time, they may also be comforted by management’s actions to deal with cybersecurity and not feel the need to do more. If so, are board members pushing cybersecurity governance out to the management team?
For example, the SEC’s new rules requires the disclosure of details regarding material cybersecurity events within four days. On the surface, this may appear to be a simple governance exercise—but, in fact, it requires management’s deep technical understanding of an organization’s IT environment and the board’s business understanding of the inner workings and context of the systems that constitute the enterprise they govern. To make an effective disclosure decision, the board would need to be able to evaluate questions such as:
- What is the operational purpose and relative importance of each affected system?
- How much do these operational systems contribute to our revenue forecast?
- What are the specific sensitive data elements captured in each system (e.g., intellectual property, customer data), and how many are exposed in the incident?
- What regulatory fines are associated with the exposure of this sensitive data?
Boards must also consider that cybersecurity incidents are rapidly evolving and the scope of affected systems and data can change over the course of an investigation.
Why it matters
The expression “noses in, fingers out” is meant to stress the board’s responsibility to ask insightful questions, but not to manage the business. However, the reverse is also true. Governance cannot be delegated to the management team. Yet evidence from well-publicized breaches suggest either a lack of governance or its delegation to management. Guidance on cybersecurity governance is available from the National institute of Standards and Technology (NIST), which is in the process of adding a “GOVERN” function to its cybersecurity framework as follows:
“GOVERN addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.”
Board adherence to some form of the GOVERN function is necessary to meet its fiduciary responsibility. For most business risks and challenges, experienced board members are well equipped to ask insightful questions, assess risk and make governance decisions. However, in the past, the complex nature of cybersecurity risk has caused many board members to shy away from cybersecurity and to not devote the time and energy required to fully understand and deal with the issue. This is unsustainable as incidents and regulatory pressures mount.
Adding cybersecurity expertise to the board can be a partial fix for this problem so long as these additions are not viewed as a “check-the-box” solution that relieves the rest of the board from its fiduciary duty. We are only just beginning to see signs of a broader solution wherein the entire board is digging in and devoting the time and energy to understand this systemic risk to their business.
Starting with the right questions
Perhaps boards and C-suites perceive their governance, management and implementation of cybersecurity processes and procedures as adequate. If so, they must be surprised when incidents reveal facts that demonstrate otherwise. By starting with the right questions, boards can better assess their cybersecurity preparedness, primarily from a governance perspective. Here are sample questions board members are asking to make this assessment, broken down across steps to organize, educate and drive culture in an organization.