Cybersecurity Oversight: A Board Challenge
Corporate boards face exponentially escalating risks – at the heart of this development is the rapid escalation of board member accountability. Board members are no longer operating in a sinecure, free from legal risks. The walls are changing.
A perfect example of the changing landscape of risk is the importance of cybersecurity oversight and protections. The criminal cyberattack against the Colonial pipeline and the acknowledge payment of over $1 million to escape a ransomware attack underscores the new environment for corporate boards. The issue is not limited to energy infrastructure but extends to all critical technologies and a range of industries. Last year, the SolarWind’s cyberattack underscored another vulnerability in our nation’s reliance on software services to control and manage our Internet backbone.
Cyber risks are even more significant in the work-from-home environment that has become part of our established work environment. While this trend began in response to the COVID-19 pandemic, it is clear that office and work environments has transformed the future workplace. The risks and vulnerabilities has multiplied in response to large work populations relying on unsecured wi-fi home networks to access critical work resources. Virtual private networks are now being used to protect critical information and data in this new work environment.
Corporate boards have to manage cybersecurity risks, mitigate vulnerabilities, develop crisis response protocols, coordinate law enforcement interactions when needed, engage information and cyber experts to assist in any emergency response, and secure adequate insurance to protect against significant financial damages. This laundry list of responsibilities is overwhelming at first glance, but these issues have to be addressed.
The multiple underlying risks is daunting but is complicated even more with the increasing importance of overall data management and information governance requirements. Companies face requirements for managing, storing and moving sensitive data to protect against intrusions and breaches, subject to global requirements that vary around the globe.
Adding to this complex situation, the SEC has elevated the importance of accurate disclosures concerning cyber and data risks that extends to shareholders, institutional investors, proxy firms and other stakeholders. All of a sudden, regulators and stakeholders are focused on corporate governance and risk management in the cybersecurity arena and are ready to downgrade and hold companies and their boards and senior management when they learn of unmitigated cyber risks. A key component of the ESG movement is now corporate cybersecurity governance.
In facing this challenging environment, corporate boards have to understand exactly how they should conduct proper oversight and exercise their responsibilities. A defined framework for this effort is essential. This framework should include certain components:
- Outline: the oversight framework should generally be defined to include the essential elements. In beginning this process, the board’s approach and efforts should be documented so that the board’s work is accurately documented. The framework should include the essential functions listed below.
- Responsibility: In most cases, audit committees are assuming responsibility for cyber risk oversight. Given the importance of this function and the workload of the audit committee, a separate cyber risk committee may be appropriate. While delegated to a separate committee, the full board should maintain a quarterly report and review of cyber risk oversight.
- Risk and Vulnerabilities Assessment: As in every area of risk management, the board has to understand the company’s risks and vulnerabilities to cyberattacks, as well as internal employee or third-party misconduct. This assessment is the foundation of cyber risk management and has to be regularly updated to reflect changes in business, technology and information activities. The assessment has to include third-party risks, supply chain and all business partner risks because of the possible vulnerabilities created by these external relationships and operations.
- Detection and Response Plans: Directors have to understand how their companies are protecting against cyber intrusions. Specifically, board members have to understand exactly what protections are in place and the ways in which the company can detect a possible intrusion. While the systems may involve technical subjects and ideas, board members should undertake efforts to understand how these systems work and the level of protection created. A security program has to captured in writing so that it is documented and understood by board members. When vulnerabilities are identified and remediation may be required, directors have to oversee plans to mitigate these vulnerabilities and hold those responsible for fixing these problems.
- Written Policies and Available Resources: A corporate board should ensure that the company has established policies and procedures in place governing cybersecurity. These policies and procedures have to reflect the Cybersecurity Framework set forth by the National Institute of Standards and Technology, coupled with recent executive orders addressing these issues.
- Crisis Response Plan and Disclosures: A final issue for boards to consider is review of protocols for responding to a cyber incident, whether an attack or data breach. The response plan should include a step-by-step protocol to protect against second-guessing litigation launched by shareholders, the government or other actors. A communication plan has to be prepared for coordinating with law enforcement and making timely disclosures to regulators, key stakeholders and the public.