16 Jun. 2016 | Comments (0)
By Bob Zukis, Senior Fellow, Governance Center at The Conference Board
Fifteen years ago the legislation known as Sarbanes-Oxley (SOX) forced American corporate boards to diversify their skills by adding financial expertise to their director ranks. Are we now at a similar point for IT and cybersecurity governance skills? The Conference Board in their report titled “Emerging Practices In Cyber Risk Governance” defines cyber risk governance as “…a framework adopted within an organization to deal with the new and evolving risks relating to cyber space both within the organization and as the organization interfaces with the outside world.” Moreover, the report expressly states that “Cyber risk governance begins with the board…”
Today’s corporate boards are now well aware of their responsibilities around financial reporting and have the skills in the boardroom to adequately address these responsibilities, but there was once a time when having a qualified financial expert in the American corporate boardroom was a novel concept. That changed when the law known as Sarbanes-Oxley (SOX) was passed on July 30, 2002 in reaction to the Enron and WorldCom accounting debacles. Amongst it’s many other requirements, SOX put a disclosure requirement on SEC reporting entities that required boards to disclose if they had a director who was a “financial expert” on the board. Prior to this law, there was not any requirement for SEC covered entities to have directors who had any level of financial statement understanding or accounting aptitude—remarkable in hindsight. Cybersecurity is now front and center in the daily news and in the corporate governance conversation. As a result of the incessant march of information technology and the corresponding cybersecurity risks that come along with these advances, the seemingly daily headlines on cybersecurity incidents only serves to underscore the significance of this corporate risk. Recent NYSE/SpencerStuart research identified cyber risk as one of the most significant challenges facing public companies in 2016, behind only an uncertain economy and market risk. In 2002 when SOX was passed into law, its section 407 required boards to disclose the financial expertise held by their directors. It required SEC registrants to:
…disclose whether or not, and if not, the reasons therefor, the audit committee of that issuer is comprised of at least 1 member who is a financial expert, as such term is defined by the Commission.
The definition of what constituted a “financial expert” was a point that received clarification as the bill went through Committee. The original guidance was viewed as too narrow of a definition, which would have significantly limited the number of qualified director candidates who could fulfill the requirement. The label was changed to “audit committee financial expert” to broaden the definition with the following further clarification added for the person with this designation. Such person shall have:
…a thorough understanding of the audit committee's oversight role, expertise in accounting matters as well as understanding of financial statements, and the ability to ask the right questions to determine whether the company's financial statements are complete and accurate.
Once implemented, Sec. 407 had a significant impact on the makeup of boards and their audit committees. In 2012, ten years after SOX, EY reported that while only a small number of audit committee members were financial experts in 2003, by 2012, almost one-half of ALL audit committee members were identified through proxy statement disclosure as meeting the definition of an audit committee financial expert. Whether former auditors, CFO’s or an otherwise qualified financial professional, this skillset and competency has become and remains, an important and effective part of American corporate governance. What went, and I believe remains an underappreciated viewpoint on the overall skillset of these “audit committee financial experts” is that while they have an expertise in the financial accounting and reporting domain, they also, by necessity possess a very good general business aptitude. In order to be the scorekeeper for a business, financial and accounting professionals need to understand how a business operates. Boards not only added a deep and very valuable financial skillset as the result of SOX Sec. 407, they also added executives who can add value to the overall governance agenda. Fifteen years after SOX, we’re now at a similar point but with regard to cybersecurity risk. Cyber risk is pervasive and doesn’t discriminate regardless of industry or company size. Hackers will hack weakness, and wherever there is vulnerability there is a cyber crime opportunity. The Allianz 2016 Risk Barometer reports that cyber incidents are considered as the top emerging business risk for the long-term future (+10 years), far exceeding the risk of business interruption or terrorism. Governing cybersecurity risk is a comprehensive part of an overall IT governance approach and IT governance is a necessary part of enterprise risk management. Effective cybersecurity governance requires that the right skills and competencies be in the boardroom that can understand this increasingly complex and persistent threat. Yet given this, as evaluated by cybersecurity security professionals most boards still don’t have the skills or competencies to adequately govern this domain. The latest 2016 survey from Osterman Research and Bay Dynamics discloses that only 39% of [IT and security executives] feel like they are getting the support they need from the board to address [cyber] threats. Moreover, the same survey reported that only one-third of IT and security executives believe that the board understands the information about cyber security threats that is provided to them. Given these ongoing issues, policy-makers have taken notice. In December 2015, a cybersecurity expert disclosure bill was proposed in the US Senate. Called the Cybersecurity Disclosure Act of 2015 (S. 2410) the language of this proposed bill is somewhat similar to SOX Sec. 407. The goal of this proposed cybersecurity legislation is to “…promote transparency in the oversight of cybersecurity risks at publicly traded companies.” It would require any “issuer” under section 3 of the Securities Exchange Act of 1934:
 to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and
 if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.
Proposed S. 2410 is bipartisan legislation initiated by Senator Jack Reed (R-ME, @SenJackReed) and Senator Susan Collins (D-RI, @SenatorCollins). Currently in Committee the Bill aims to do what so far, boards have been unable or unwilling to do themselves. That is, to put skills in the corporate boardroom that can effectively govern the persistent and significant exposures around cybersecurity risk. Dr. Richard LeBlanc, author of the recently released book “The Corporate Governance Handbook,” describes this by saying:
IT literacy is becoming what financial literacy was to boards 15 years ago. The jack-of-all and specialist-of-none generalist director is being succeeded by directors with more specific and relevant skills. Regulators and investors want to see areas of expertise for directors that reflect the complexities of the businesses that they govern.
While what qualifies as constituting “experience or expertise in cybersecurity” has yet to be defined as the Bill is currently in the Banking, Housing and Urban Affairs Committee, the co-sponsors expect this issue to be addressed in cooperation with the National Institute of Standards and Technology. The proposed Bill states:
…the Commission, in coordination with the National Institute of Standards and Technology, shall define what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats.
While there ultimately was an incorrect perception that there were few director level candidates who could fulfill the role of “financial expert” I’ve also heard a similar view as it relates to board ready cybersecurity experts. But as was discovered with financial experts, the cybersecurity and IT governance resource pool is broader than those outside of the IT community may believe. Qualified directors exist as current or former CIO’s, CISO’s, IT consulting executives or IT industry executives. As was discovered with “financial experts,” IT executives also have a significant amount of general business aptitude as they are the operational enablers of the business. Increasingly, they are also the key strategic enablers of any business. Cyber risk is an issue that has a potential material impact on shareholder value and it’s also an issue that’s squarely in the public interest. Hackers will exploit the weak points of any IT environment, consequently this issue impacts both national competitiveness and national security. Moreover, it also puts the very gains that developments in information technology offer to society at risk. The World Economic Forum estimates that without a coordinated international approach from both the private and public sectors on the issue of cyber resiliency, that USD$ 3 trillion of economic value could go unrealized by 2020. The reliance that business and society has on new information technologies requires skilled and knowledgeable corporate oversight. Fortunately, there are many IT/cybersecurity governance frameworks that exist. Unfortunately, they are simply under applied in the American corporate boardroom because of the lack of the requisite director skillset. Directors who do not have the ability to ask the right cybersecurity question, will never get the right answer. Cybersecurity governance ground zero starts in the American corporate boardroom with competent cybersecurity directors. Whether forced by regulators, pressured by activists or added by a board that recognizes that good corporate governance needs cybersecurity competent directors, a decade from now, we’ll look back in disbelief at what is today, the novel concept of having cybersecurity skills in the American corporate boardroom.
The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with the The Conference Board or the Governance Center.
 “Emerging Practices In Cyber Risk Governance” (October 2015), https://www.conference-board.org/publications/publicationdetail.cfm?publicationid=5040&subtopicid=210  “What Directors Think” (2016), https://www.spencerstuart.com/~/media/pdf%20files/research%20and%20insight%20pdfs/what-directors-think-2016_042016.pdf?la=en  “The Sarbanes Oxley Act at 10: Enhancing the reliability of financial reporting and audit quality” (2012), http://www.ey.com/Publication/vwLUAssets/The_Sarbanes-Oxley_Act_at_10_-_Enhancing_the_reliability_of_financial_reporting_and_audit_quality/$FILE/JJ0003.pdf  “Allianz Risk Barometer Top Business Risks 2016,” http://www.agcs.allianz.com/assets/PDFs/Reports/AllianzRiskBarometer2016.pdf  “Risk and Responsibility in a Hyperconnected World” (January 2014), http://www3.weforum.org/docs/WEF_RiskResponsibility_HyperconnectedWorld_Report_2014.pdf