Traditionally, cyber security has been considered the exclusive domain of IT and security operations departments, which were charged with the purchase and deployment of technology to defend against network intrusions. However, the long line of devastating data breaches at Target, JPMorgan Chase, Home Depot, and dozens of other established, respected brands is changing all that. Nowadays, the responsibility for the safety, security, and integrity of an organization’s network has shifted to executive management and boards of directors. For some though, the question remains why cyber security should be a board oversight issue.
Over the last few years, cyber threats have emerged as some of the most significant business risks facing organizations. For many, the Target breach was a watershed event. The subsequent law suits and settlements that totaled in the tens of millions of dollars revealed the scale of the financial impact associated with cyber-attacks. Since boards of directors have a fiduciary responsibility to preserve corporate financial value, these breaches were a rude wake up call. Meanwhile, the courts are holding businesses accountable for implementing appropriate security practices to protect consumers’ personal information. The Home Depot, which booked $161 million of its pre-tax expenses to cover a breach, including $19.5 million for the consumer settlement, is a good example.
In response, boards have started changing their view of cyber security as being a core function of IT management, and are now demanding that C-suites treat cyber threats as an enterprise risk that should be addressed from a strategic, company-wide, and economic perspective. They are now taking a very active interest in cyber security, and want to be kept informed of current and evolving risks, as well as the organization’s security preparedness and response plans. As a matter of fact, according to a recent study by accounting firm EisnerAmper (EA), directors of boards are most worried about cyber security risk (70 percent), reputational risk (66 percent), regulatory compliance risk (64 percent), and senior management succession planning (51 percent).
These results reflect the fact that boards now recognize that protecting against cyber-attacks and complying with evolving regulatory mandates is becoming more challenging and increasingly costly. As an example, the new European Union’s Data Protection Directive stipulates fines of up to 5% of a company’s global revenue, which creates a foundation for civil litigation. In cases where cyber security insurance is being considered as a regulatory fence against cyber risks, the boards’ risk committee is required to determine coverage for directors’ and officers’ liability, commercial general liability, prior acts, as well as property, and casualty insurance.
Operating in this new environment is not easy. A recent study by the National Association of Corporate Directors (NACD) revealed that over 90% of respondents believe their board’s understanding of cyber security risks still needs to improve. In this context, the U.S. Senate recently proposed a cyber security disclosure bill that would require public companies to describe what cyber security expertise their boards have, and, if they don't have any, what steps the companies are taking to add this type of expertise to their boards.
While many experts believe the proposed bill is going too far – especially considering the existing shortfall of cyber security experts in the industry – it illustrates the need for oversight at the highest level. In fact, the NACD recommends that risk oversight becomes a function of the entire board. Since business strategy and risk nowadays go hand-in-hand, the full board—and not just one subcommittee—needs to be vetting the company’s cyber security practices and programs.
To elevate transparency and provide the necessary information to board members, organizations should consider implementing the following practices:
• Increasing the frequency of cyber security related presentations to the board;
• Allowing CSOs and CISOs to present their findings and strategies directly to the board, rather than through some other C-level representatives;
• Treating cyber security as a matter of enterprise-wide risk, not just as a function of IT management; and
• Implementing a model that establishes a quantitative estimate for cyber risks, exposures, and potential damages to better align business objectives and security goals.
Ultimately, a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyber risks, and ensure that reasonable security protocols and procedures are in place. Furthermore, it can help all stakeholders gain a better understanding what assets might be at risk, how to estimate potential losses, and how to mitigate threats using new security practices, investments, and cyber security insurance.
While many boards have woken up to the fact that they need to pay more attention to cyber security as part of their fiduciary responsibility, security executives should not stand by, waiting for their board to ask questions about cyber risk management. Instead, CISOs should pro-actively monitor their company’s risk posture and provide quantitative views of the organization’s risk posture on a semi-annual basis — at the very least.
Attend the 2016 CISO Forum Panel - Reporting Security and Risk Management to the Board, Moderated by Gartner's Ash Ahuja
Related Reading: Getting the CISO a Seat
Related Reading: Data Breaches Can Lead to Customer Drop-Off
Related Reading: CISO Study Outlines Challenges, Successes of Security Executives
Related Reading: Many CEOs and CISOs Not Communicating on Security, Survey Finds
Related Reading: Target CEO Exit Highlights Business Side of Security
Related Reading: Are We Ready to Take These Breaches More Seriously Now?
Related Reading: How a CISO Can Be a Change Agent Within a Company