Corporate boards of directors need to demand information and insight that will help them secure the organization’s future. As author Tom Horton wrote in the trade publication Directors & Boards, “The very survival of the organization depends on the ability of the board and management not only to cope with future events, but to anticipate the impact those events will have on both the company and the industry as a whole.”
Cybersecurity is one topic about which the board must become more educated and ask strategic questions of management and internal audit. Boards now are holding their leaders accountable for overseeing cybersecurity, as evidenced by the resignation of Target CEO Gregg Steinhafel, following the company’s massive security breach last year.
CAEs and their IT specialists must be ready to respond to the board’s inquiries, as well. A recent IIA Research Foundation and ISACA Research publication, Cybersecurity: What the Board of Directors Needs to Ask, provides some suggestions for such discussions. Moreover, a recent publication from the National Association of Corporate Directors (NACD), American International Group, and Internet Security Alliance describes five principles that boards should consider when they exercise oversight of cyberrisks:
- Directors need to understand and approach cybersecurity as an enterprise risk management (ERM) issue, not just an IT issue.
- Directors should know the legal implications of cyberrisks related to their organization.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyberrisk management should be given regular and adequate time on the board’s agenda.
- Directors should expect management to establish an ERM framework with adequate staffing and budget.
- Board-management discussion of cyberrisk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
Boards and CAEs should consider 10 actions the NACD publication proposes to ensure cybersecurity is on their agenda and discussed with senior leadership.
The board must become an additional “set of eyes” against cyberrisks within the organization. In this capacity, the board should supplement executive management, line management, and internal audit. Directors must require internal audit or an external security organization to provide an annual “health check” report covering all aspects of the organization’s cybersecurity program. Additionally, the board must monitor whether the enterprise risk levels related to cybersecurity are improving or deteriorating.
The board must understand the cyberrisks associated with third-party service providers. With IT budgets shrinking and more being asked from IT, outsourcing key components of IT or business processes to third-party providers is becoming common. Moreover, the board should obtain a report on all the critical business applications and the related data that is managed by such providers. The board must make sure that the organization has appropriate agreements in place with the service provider and that an appropriate audit of the provider’s operations, such as Service Organization Controls (SOC) 1 and SOC 2 assurance reports, is performed regularly by an independent party.
It is imperative that the board understands the safe harbor clauses in data breach laws for the countries and U.S. states where the organization does business. In the United States, almost every state has enacted laws requiring organizations to notify the state in case of a data breach. The criteria defining what constitutes a data breach are similar in each state, with slight variations.
Boards should be aware of all major breach attempts — not just actual incidents — made against the organization. This is necessary in light of several serious data breaches around the world. The definition of major may differ, depending on the organization’s industry and whether the organization is global, national, or local.
The board should meet with the organization’s chief information security officer (CISO) at least once a year. This meeting should supplement the health check report by helping the board understand the state of cybersecurity within the organization and enabling directors to discuss key cybersecurity topics.
The board should verify that management has established relationships with the appropriate national and local authorities who have responsibility for cybersecurity or cybercrime responses. For example, boards of U.S. companies should verify that management meets with the Federal Bureau of Investigation (FBI) annually. The FBI recently established the Key Partnership Engagement Unit, a targeted outreach program to senior executives of key private-sector corporations.
The board must require management to communicate with it about the ERM organization structure, including staffing and budget details. ERM generally encompasses several different risks, including operational, credit, regulatory, legal, and cybersecurity risks. IT is one of many different business groups that management relies on to manage enterprise risks. The board also must require management to provide statistics about how other companies in their industry allocate their budgets and which metrics they use to measure the budget allocation.
The board must ensure that the CISO is reporting to the appropriate levels within the organization. Keep in mind that although many CISOs continue to report within the IT organization, sometimes the chief information officer’s agenda conflicts with the CISO’s agenda. As such, the trend has been to migrate reporting lines to other officers such as the general counsel, chief operating officer, chief risk officer (CRO), or even the CEO, depending on the industry and the organization’s dependence on technology.
The board should meet with the CRO or equivalent at least annually and review all the risks that were either avoided or accepted. There are times when a business unit will identify a technology need that its executive is convinced is the right solution for the organization, even though the technology solution may have potential security risks. The CRO should report to the board about such decisions by business-unit executives to expose the organization to additional security risks.
The board must verify that the organization’s cyber insurance coverage is sufficient to address potential cyberrisks. To understand the total potential impact of a major data breach, the board should ask management to provide the cost per record of a data breach.
No Time to Wait
The board must act on cyberrisk now. If the board still is not convinced of its need to take a strategic role in overseeing the organization’s cybersecurity strategy, directors should consider this: Proxy adviser Institutional Shareholder Services (ISS) has urged shareholders to overhaul Target’s board in the wake of last year’s data breach. In a recent report, ISS recommended a vote against seven out of 10 directors “for failure to provide sufficient risk oversight” as members of the audit and corporate responsibility committees. CAEs should ask themselves and the board this critical question: “Based on our risks, are we providing a sufficient level of oversight to address current and future cybersecurity threats?”
Sajay Rai, CPA, CISSP, CISM, is the president and CEO of Securely Yours LLC in Bloomfield Hills, Mich.
Steve Mar, CFSA, CISA, is the IT audit director for a U.S. specialty retailer.