Most corporate boards of directors discuss cybersecurity regularly, but less than half are confident that their company is appropriately secure against a cyberattack, according to the National Association of Corporate Directors' (NACD's) 2016-2017 public- and private-company governance surveys. These findings point to the challenges boards face in guiding their companies through the perils of cyberrisk, as outlined in the
NACD Director's Handbook on Cyber-risk Oversight.
Attackers seek to cash in by targeting business plans, intellectual property, trade secrets, customer and employee personal information, and financial data, the handbook notes. Other nations also are a threat. "The cyber threat picture continues to become more challenging with nation-state attacks against both public and private sectors," says handbook author Larry Clinton, president and CEO of the Internet Security Alliance (ISA), a Washington, D.C.-based cybersecurity trade association.
In response, corporate boards are paying greater attention to cyberrisks, NACD President and CEO-elect Peter Gleason says. "Directors don't need to be technologists to play an effective role in cyberrisk oversight — but every board can take the opportunity to improve the effectiveness of their cyber-oversight practices," he says.
The updated handbook provides recent information on cyber threats, legal developments, and statistics on board oversight practices. It outlines five principles for effective oversight of cyberrisk.
1. An ERM Issue
The handbook implores boards to approach cybersecurity as an enterprise risk management issue, rather than an IT concern. As such, directors should address it from strategic, cross-departmental, and economic perspectives. For most publicly listed companies (51 percent), cyberrisk oversight falls on the audit committee, but nearly all directors (96 percent) surveyed say the full board takes on the big picture risks that could impact their company's strategic direction, according to the 2016-2017 NACD Public Company Governance Survey.
Cyberrisk is magnified by the interconnections an organization has with its customers, affiliates, and suppliers, as well as the growing use of cloud computing and links to national critical infrastructure. "Progressive boards will engage management in a discussion of the varying levels of risk that exist in the company's ecosphere and take them into consideration as they calculate the appropriate cyberrisk posture and tolerance for their own corporation," the handbook advises.
2. Legal Implications
The second principle calls on directors to understand the legal implications cyberrisks pose for their organization. Laws and regulations related to cyberrisk are complex, covering privacy, disclosure requirements, and infrastructure protection, the handbook points out. "Boards should stay aware of current liability issues faced by their organizations — and, potentially, by directors on an individual and collective basis," the handbook stresses.
Considerations of particular importance are maintaining board minutes that reflect the board's discussions of cybersecurity, and public disclosure and reporting requirements related to cyberrisk.
3. Discussion and Expertise
The third principle addresses two concerns. It calls on boards to make cyberrisk a regular part of their agenda, with adequate time allotted. It also acknowledges that directors may need access to cyberrisk expertise. NACD's research bears these points out: Nearly 90 percent of public company directors surveyed say their board discusses cyberrisk regularly, yet only 14 percent say the board has a high level of knowledge of cyberrisks.
The most common board cyberrisk oversight practices are reviewing the company's approach to protecting its most critical assets (77 percent) and reviewing the technical infrastructure used to protect those assets (74 percent).
Although there have been calls for boards to add cyberrisk experts as directors, this might not be appropriate for all companies, the handbook states. Other strategies for tapping into expertise include briefings with outside experts, consulting with external auditors and outside counsel to gain an industry and "multiclient" perspective on risk trends, and participating in director education programs.
4. Cyberrisk Framework
The fourth principle urges directors to expect management to establish an enterprisewide cyberrisk management framework. The handbook specifically discusses the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was issued in 2014. The framework recommends that organizations assess their cybersecurity program along a four-tier scale progressing from 1) partial to 2) risk-informed, 3) repeatable, and 4) adaptive.
In addition, the handbook recommends organizations adopt an integrated cyberrisk management approach developed by the ISA. Key components include establishing ownership of cyberrisk on a cross-departmental basis, appointing a cross-organization cyberrisk management team, performing an enterprisewide risk assessment, developing an organizationwide cyberrisk management plan, and allotting sufficient financial resources.
5. Risk Actions
The final principle advises boards to discuss with management how to make cyberrisk decisions about which risks to avoid, accept, mitigate, or transfer through insurance. "As with other areas of risk, an organization's cyberrisk tolerance must be consistent with its strategy and, in turn, the resource allocation choices," the handbook states.