Dancing on the Head of a Pin: Corporate Boards, Committees and Cybersecurity Risk Management
No one was surprised when compliance and risk publications cited cybersecurity as the number one risk that corporations face today. While this is a relatively simplistic and head-line grabbing statement, the truth remains that corporate boards should have cybersecurity in their Top-3 List of corporate risks facing the organization.
Like everything in life, it is one thing to identify the risk — it is quite another to tackle and mitigate the risk. Board members are not technical experts. Lawyers often lack this expertise. However, board members, executives, lawyers and compliance professionals do share an important trait — the ability to learn from subject matter experts. Intelligent professionals can learn — it comes with the territory. And everyone now needs to learn and understand cybersecurity risks. We live in a real digital age where technology is rapidly evolving and corporations need to catch up and do so quickly.
On the one hand, digital technology is a boon for businesses, but it also comes with significant risks. Companies are embracing the power of technology to enhance productivity and innovation. On the flip side, companies need to identify and mitigate against cyber risks.
The cyber landscape can be deadly to a company. By 2025, cyber losses are projected to total over $10 trillion (with a T). The SEC has mandated comprehensive cybersecurity risk disclosures. Companies face unprecedented risks and collateral litigation in this area if they fall victim to a cybersecurity incident.
Lets’ review the Report’s key findings:
- Companies with advanced security ratings create nearly four times the value for shareholders as companies with basic security ratings.
- Companies with a specialized risk committee to address cybersecurity risks performed better than those companies with an average security rating and a specialized committee focused on cybersecurity risks.
- Appointing a cybersecurity expert on the board is not enough. instead, companies perform better when a cybersecurity expert is integrated into a board committee responsible for oversight of cybersecurity risks. The mere presence of a single board member with cybersecurity expertise is not enough to leverage the full range of potential benefits to the company from such expertise. Instead, the presence of a cybersecurity expert on a specialized committee, along with relevant data, resulted in higher performance outcomes. Unfortunately, the percentage of companies who have at least one board member with cybersecurity expertise remains low at approximately 5 percent.
- Regulated companies outperform other companies on cybersecurity risk management. For example, healthcare and financial service companies maintain higher performance records on management of cybersecurity risk management than non-regulated industries.
Chief information security officers (“CISOs”) have a difficult job — they have to teach the board and senior management basic cybersecurity issues, while maintaining a vigilant risk management program. Like CCOs, CISOs often do not have access to adequate resources to execute their responsibilities.
Compliance and cybersecurity share a common problem — if there has not been a disastrous event (e.g. an FCPA enforcement action or a cybersecurity attack), board members and senior executives reach the inaccurate conclusion that “everything is ok” and there is no need to maintain or increase investments in ethics and compliance and cybersecurity risk management.
The Diligent and Bitsightreport paints an imperative picture — companies need to build effective cybersecurity risk management governance structures and do so now. This is a must-do rather than a like to have situation.