If Cyber is Material, Then Boards are Accountable

Cybersecurity has become a critical topic for boards of directors for several reasons. First, cybersecurity is now an existential issue, intrinsically tied to staying competitive in the market. The rapid digitization in financial services as well as the new ways of working spawned by the pandemic have created new risks that either did not exist or were not material before.

Second, regulators are increasingly indicating that ultimate accountability for cyber risk management rests with the board. This can mean that board members are personally liable for major cybersecurity lapses. The board must therefore have sufficient cybersecurity knowledge to discharge their fiduciary duties of care and diligence.

Additionally, environmental, social, and governance (ESG) issues are featuring much more prominently on board agendas. Cybersecurity, digital disruption, and data privacy are sustainability issues that need to be managed and disclosed.

Security leaders must educate their boards on an ongoing basis, speaking language they can understand and ensuring their updates stimulate engagement and dialogue, rather than a download of technical jargon. In fact, increasingly regulators ask to see board minutes proving that boards are engaging in robust discussion on cybersecurity. Boards can no longer just accept the CISO’s memo as “read.”

The Pivotal Role of the Board Risk Committee

Boards typically set the risk appetite for cybersecurity along with all other risks in their organizational risk framework. Directors need to understand how inherent and residual risks compare against appetite. They must understand adopted frameworks for managing cyber risks and how cyber risk management fits within the broader risk management framework. They need to be satisfied with the governance structures in place. They should understand the threat landscape in terms of how it impacts their organization as well as be aware of emerging risks. Much of this responsibility falls to the board risk committee.

Boards should ensure the risk committee dedicates enough time to carry out these duties and is flexible enough to convene should material issues arise. Outside of the usual brief quarterly update by the CISO to the full board, many risk committees hold annual or bi-annual deep dives which focus on any of the material risks that are operating outside of appetite. In many cases, cyber is one of them. Whether cyber briefings become more frequent or whether we see growth in dedicated cybersecurity committees largely depends on the effectiveness of the risk committee and whether what is elevated to the full board gives the board confidence that they are adequately discharging their risk management obligations.

The Smart CISO's Board Approach 

The expected lifespan of a CISO at an organization is only two to two and a half years. This is largely because they are wearing more and more hats: protector, enabler, key business partner, and advisor. Regulators are placing more scrutiny on CISOs in financial services; in many cases, holding them personally accountable. This means CISOs need to carefully consider every discoverable artifact they put out, especially to the board risk committee and/or full board.

1. Understand what is top of mind from the board’s perspective ahead of time. It may be useful to build a relationship with the chair of the risk committee, who can then work with you to shape briefings to be in line with board expectations.
   
   
2. Differentiate between board discussions and management discussions. The board is responsible for ensuring effective oversight and governance, unlocking long term value, and acting in the best interests of not only shareholders, but all stakeholders. Management is more focused on the here and now, such as quarterly earnings. In large organizations, it is rare to discuss budget with the board, unless it falls outside of management’s financial delegation. The board may ask if we can reduce exposure to risks operating outside of appetite faster if we invest more resources, but generally what we present to the board is the management-approved way forward, with budgets tied into that.
   
   
3. Choose no more than 2-3 key topics at any one time. What CISOs often forget is that at any one time, boards of highly regulated entities may have a thousand pages of memoranda they have to comb through. Do not overload them.
   
   
4. Focus on material risks. The board always wants to know where the firm is tracking outside of appetite, and what you are doing to minimize exposure.
   
   
5. Periodically refresh the threat profile for the organization, which may highlight additional areas for review and upgrading of defenses – such as the recent scourge of ransomware.
   
   
6. Never let an incident go to waste – whether internal or in the news, use cyber incidents as a way to educate the board and engage them in meaningful conversation.
   
   
7. Have a framework and set template within which you arrange your updates. Boards love the ability to demonstrate progress from one period to the next. They will often reference previous material, so consistency is key.

Metrics too should be organized into a framework that tells a story. There are no perfect measures. There is not even all that much commonality in the measures individual institutions use across the industry when reporting to boards. However, metrics can loosely be grouped into those that track:

1. Protection of critical assets - defending what is most valuable from cyber threats.
   
   
2. Employee awareness and vigilance – how well your workforce is enabled to make cyber risk decisions, such as success rates of fake phishing campaigns. While the jury is out as to whether they are the best measures, boards often like them because they are so pervasive; they allow you to benchmark against your peers.
   
   
3. Supply chain risk - It is difficult to report to the board where the weakest link in your supply chain is; you simply do not know. We manage our third parties via contractual security obligations as well as risk assessments. For suppliers who present more material risk, we implement a set of periodic checks and balances, such as them having to furnish SOC2 Type 2 reports, audit reports, and penetration test findings as well as remediation plans. We then check and challenge those on an ongoing basis; from a regulatory point of view, taking supplier reports at face value is no longer sufficient.
   
   
4. Incident response – Are you able to detect incidents within your designated times, and how long does it take from detection to actual containment. You know these from your periodic preparedness exercises.
   
   
5. Overall resilience – Is your security posture and ability to recover from material breaches adaptable to changes in threat landscape. There is no one size fits all for this. Many use the NIST Cybersecurity Framework.

How Much Cyber Expertise is Enough?

While boards tend to be well-versed on risk management as a topic, cyber defense is an area that is constantly evolving. It is imperative that board directors continue to increase their understanding of digital technology and cyber issues to be equipped to challenge management where necessary. They do not need to become experts, but can take courses, such as The Board’s Role in Cyber offered by the Australian Institute of Company Directors. They should also have access to independent cyber expertise, which is anyone outside of management that the board feels comfortable with, often the Big Four or other independent consulting firms.

As time goes on, boards will increasingly have cyber expertise as part of their makeup to ensure they are appropriately skilled and resourced to deal with emerging cyber risks. This may be an opportunity for CISOs of large firms to become board directors.

Now more than ever, “short-termism,” or singular focus on quarterly earnings, could render the company vulnerable to cyber threats. To balance investor expectations on sustainability and long-term viability, boards must be well-versed enough on cybersecurity to maintain an ongoing constructive dialogue with management to protect both shareholder value and cyber resilience.