07 Aug. 2017 | Comments (0)
It has been a busy few months. The WannaCry ransomware attack made big news in May, raising a lot of antennas. Everybody waited for more shoes to drop from the leaked NSA hacking tools and indeed more attacks came. The Petya ransomware variant (AKA “NotPetya”) caused significant damage to global companies. These attacks are the next level in a series of events over the past year that need to be a call to action for corporate directors charged with overseeing the health of their companies.
If board directors and executives were not taking notice before, they certainly are now. However, attention is not enough. The need for real cyber security expertise on the board is critical in managing the risk of cyber-attacks that threaten the viability of companies across the globe. The Cybersecurity Disclosure Act of 2017, a bill introduced in the United States Senate in March 2017, hopes to drive transparency in the existence of that expertise on the boards of publicly traded companies. (watch my interview on this topic with The Conference Board Governance Center’s Senior Fellow Bob Zukis).
The concept of having expertise on the board in support of managing a major operational risk like cybersecurity should not be novel or require legislation. It is not hard to find examples of how cyber risk impacts the well-being of the public companies that boards are sworn to protect. A recent example was FedEx Corp. announcing that a disruption in services in its TNT Express subsidiary caused by a NotPetya cyber-attack in June would impact its earnings. The announcement that the impact would be material, due to lost revenue and recovery costs, drove a drop in stock price.
A recent Comparitech study of the impact of publicly disclosed data breaches of one million records or more on public company share prices highlighted that three years after the breach, share prices grew at about one-third the rate of growth as the year prior. On the NASDAQ, the study showed that share prices rebounded to the index’s performance after an average of 38 days post breach, but during the following three years underperformed by an average of more than 40 percent. These figures highlight the impact on share price and don’t even speak to loss of revenue or recovery costs.
Directors have a responsibility to provide informed oversight and guidance to their companies to manage risk, protect assets, ensure compliance with applicable laws/regulations and represent the interest of shareholders. Shareholders and regulators hold board members accountable to make appropriate efforts and perform appropriate due diligence to understand the domains that may impact their company’s viability and value. Willful ignorance is not an excuse in a court of law nor the court of public opinion.
Managing various risks that can impact the enterprise’s viability or share price is a primary board member responsibility. Cyber is a risk management domain. It is not about stopping every attack or preventing every breach. It’s simply not practical to achieve that level of security while still operating a viable business. The objective is to understand where exposure lies, the potential financial impact of those exposures and the impact of taking alternative actions.
Closely associated with the responsibility to manage risk is asset protection. That means understanding the value and loss impact of the company’s key assets, what can impact those assets’ confidentiality, integrity and availability, and the cost benefits of alternative actions to protect them. That may mean investing in protective measures, technology and process resiliency to withstand events, as well as monitoring and analytical tools and resources to mitigate threats and vulnerabilities.
In addition to corporate board members, cyber risk has also captured the attention of regulators. Government agencies are working to comply with the President’s recently released Cybersecurity Executive Order. Financial services companies based in New York State are working to comply with the March 2017 New York State Department of Financial Services cyber regulation. (See Governance Center Blog post on this regulation.) Europe has the upcoming Global Data Protection Regulation (GDPR). The common thread through these and other recent regulations is that, in a very Sarbanes Oxley-like fashion, they hold stakeholders accountable for assessing cyber risk and executing on a plan to minimize risk. If they fail to do so, the penalties can be steep. Most significantly, penalties for noncompliance with the GDPR top out at four percent of global revenue. GDPR is focused on protecting data of European citizens and applies to entities holding that data, regardless of their primary operating geography.
Ultimately, the board’s responsibility is to represent and protect the company’s shareholders. In today’s day and age, it would be unimaginable for a board to take an executive’s words at face value or to plead ignorance when it comes to financial fraud, product safety requirements or general industry regulations. Cyber is a fast-growing risk that has significant potential to materially impact the financial and operational health of every company. Deep subject matter expertise on the board is required immediately to protect shareholders and investors.
What to do?
As motivated by the proposed Cybersecurity Disclosure Act of 2017, at least one board member needs to have deep cyber risk management expertise. This includes knowledge of best practices, technologies and key cyber risk metrics. Broader expertise is better, but having at least one cyber expert will ensure that there is a translation layer between the cyber risk executives and the rest of the board. In the absence of such expertise, the board will be at the mercy of the reporting cyber risk executive, and it will be difficult for the board to make truly informed decisions.
Having a limited number of cyber risk experts on the board does not absolve the other directors from knowing their responsibilities and attaining a basic level of understanding of key concepts. There is a plethora of online and in person resources available to provide such education. A good starting point is The Conference Board’s Cyber Risk and Security Management Council. In addition to general cyber knowledge, board members must also understand the legal and regulatory requirements that are applicable to their company’s industry. Knowing the right questions to ask and how responses drive different decision paths will increase the likelihood of gathering the right information to make the best decisions.
All the expertise in the world will not drive the right decisions if the right information is not being provided to the board. A key part of the decision-making process is implementing the right reporting and communication practices in which the board has confidence and that provides transparency. Reporting will always include a combination of quantitative and qualitative content, that should both tell a story and allow directors to assess posture, gaps and progress in an unbiased fashion. Effective Chief Information Security Officers (CISO) know that transparency is in their best interest, as well as the best interest of the enterprise. Those that obfuscate the facts by steering the presentation in a way that suits their own agenda will continue to have a short shelf life. Regardless of what the facts bear out, senior executives need to be held to account for their performance. If CISOs drive cyber decision making with the facts, as a risk management process, then every breach is not a career ending event.
Knowledge and education will be critical to guiding and understanding what is being presented by the CISO, and making informed decisions. Effective reporting and communication will provide a mechanism to make sure that all the bases are hit in the right order. However, cyber risk management does not follow a linear path that can be tracked once a quarter and forgotten in between. There will be regular bumps in the road, and decisions to be made. Strong relationships will be required to develop open lines of communication that will help the company withstand whatever may arise. Between board meetings, spend informal one on one time with the CISO to develop a strong relationship. Getting to really know their cyber experts will open the door to useful background information about what is really going on, and will facilitate a more constructive partnership that will be in everybody’s best interests, especially the shareholders.
Cyber risk management is a prominent risk to the viability of modern enterprises that needs to be managed effectively at all levels. At the board level, that requires the right level of knowledge, monitoring and decision-making processes. If directors do not understand the moving parts of cyber risk and how they impact the company’s bottom line, then they are at the mercy of the cyber executives they are supposed to be overseeing. That was deemed to be unacceptable for financial oversight back in 2002, when Sarbanes Oxley was passed. To an extent, we are reliving that experience today when it comes to cyber. If passed, the proposed Cybersecurity Disclosure Act of 2017 could be a motivator for lagging companies that are dragging their feet to add the required expertise. In the long term (which may not be that far away), it may be a moot point, as those companies lacking effective cyber risk oversight will not survive.
The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board or the Governance Center.