The issue of cybersecurity has been a key concern for companies since the beginning of the Information Age. The severity of potential damage as a result of cybersecurity risk to companies is significant. The threat extends beyond corporate damage to the nation's economy and security. In addition, the severity of the issue could lead to increased personal liability for board directors. Professionals in the IT, legal and insurance industries are eager to help, but board directors aren't always taking advantage of their expertise, despite the difficulty in managing cybersecurity risks.
While an increasing number of boards have taken a keen interest in cybersecurity issues, many boards have not met the issue with an effort that's on the same level as the degree of risk that it presents. Many boards are falling between not being concerned enough about cybersecurity and just not knowing what they're supposed to do about it. In essence, organizations need more IT expertise on their boards, and they need a greater degree of information and support for cybersecurity from management.
Regarding whether directors feel that they had delegated the right entity to manage cybersecurity, which, in most cases, is the board, the audit committee or the risk committee, about 78% felt they had gotten it right. Only around 66% of boards reported that they were getting meaningful reporting about cybersecurity from management.
Less than 63% of boards acknowledged that they were giving cybersecurity enough attention on their board agendas. Only 53% of boards have a comfort level with the company's crisis response plan. Some 41% of boards felt they got sufficient continuing educational opportunities on cybersecurity, while 40% of boards said they understood the company's cybersecurity strategy, and only 37% indicated that they understood the cybersecurity risks they were facing. Regarding director expertise on cybersecurity, only 36% of boards stated that it was enough.
When directors were asked about the types of cybersecurity issues they had discussed, 78% said that they had discussed a crisis response plan in the event of a major security breach and 74% talked about the company's cyber insurance coverage. When asked about discussing whether to engage an outside cybersecurity expert, 74% of boards said yes and 71% said they had talked about a cybersecurity expert's evaluation. About 58% of board directors indicated that they had talked about cyber risk disclosures in response to SEC guidance, 53% had talked about hiring a CISO, 42% had discussed an actual breach of their company's security, and 42% had the Department of Homeland Security/NIST cybersecurity framework on their board agendas. These numbers represent increases of only about 25 points since 2014.
Perhaps the bulk of board directors don't understand cybersecurity well enough to even ask the right questions. In some boardrooms, directors are looking around the room for someone else to come up with a responsible cybersecurity plan.
The reality is that any company with valuable assets is a target. Most of the companies that have had major media attention due to data breaches have been in the limelight because of the risk that comes with breach notification laws. There are thousands of other companies that don't disclose cyber breaches because there's no requirement to do so.
A leading cybersecurity lawyer spoke to public companies at the SEC's Cybersecurity Roundtable in March 2014 and stated, 'I would say that I really can't think of a case ' and we've worked a lot ' where the disclosure thinking or analysis was driven by the securities law issues, frankly.'
In other words, board directors shouldn't wait for the SEC to force action on their part before they become concerned enough about liability. Board directors can be held personally liable for being inactive on the issue of cybersecurity. To date, there has been little litigation over the lack of board oversight. The more that becomes known about cybersecurity, the more likely that is to change. It's possible that a rash of liability suits could ensue in the future if boards don't begin to give the issue more merit. The SEC could also step up at any time and put regulations in place to require stronger oversight.
There's no question about the severity of cyber risk, and it's the board's job to ask the hard questions of the IT department and get solid answers. Experts and consultants are available to help with customized, independent evaluations and boards need to consider accepting their assistance. Employee education is a big part of creating a cybersecurity-aware culture.
Cybersecurity starts with the board taking its own security seriously. A Diligent board management software program is the first step to ensuring that board communications are secure and confidential. Diligent promotes modern governance in all aspects of board responsibilities, which means that boards are willing to take the most efficient, secure and streamlined approach to their board duties.
While an increasing number of boards have taken a keen interest in cybersecurity issues, many boards have not met the issue with an effort that's on the same level as the degree of risk that it presents. Many boards are falling between not being concerned enough about cybersecurity and just not knowing what they're supposed to do about it. In essence, organizations need more IT expertise on their boards, and they need a greater degree of information and support for cybersecurity from management.
What Are Board Directors Saying About Cybersecurity?
The most recent PwC Annual Directors' Survey gives us a pretty good indication that too few board directors are taking cybersecurity seriously.Regarding whether directors feel that they had delegated the right entity to manage cybersecurity, which, in most cases, is the board, the audit committee or the risk committee, about 78% felt they had gotten it right. Only around 66% of boards reported that they were getting meaningful reporting about cybersecurity from management.
Less than 63% of boards acknowledged that they were giving cybersecurity enough attention on their board agendas. Only 53% of boards have a comfort level with the company's crisis response plan. Some 41% of boards felt they got sufficient continuing educational opportunities on cybersecurity, while 40% of boards said they understood the company's cybersecurity strategy, and only 37% indicated that they understood the cybersecurity risks they were facing. Regarding director expertise on cybersecurity, only 36% of boards stated that it was enough.
When directors were asked about the types of cybersecurity issues they had discussed, 78% said that they had discussed a crisis response plan in the event of a major security breach and 74% talked about the company's cyber insurance coverage. When asked about discussing whether to engage an outside cybersecurity expert, 74% of boards said yes and 71% said they had talked about a cybersecurity expert's evaluation. About 58% of board directors indicated that they had talked about cyber risk disclosures in response to SEC guidance, 53% had talked about hiring a CISO, 42% had discussed an actual breach of their company's security, and 42% had the Department of Homeland Security/NIST cybersecurity framework on their board agendas. These numbers represent increases of only about 25 points since 2014.
How Confident Board Directors Are That They Know Cybersecurity
Overall, boards know substantially more about governance than they know about cybersecurity. Many boards are happy to delegate it to the audit or risk committee and be done with it. Some board directors are of the mindset that there's a better chance that it will happen than not, so they'll leave it to worry about it when the time comes. Other board directors believe that it's an IT issue and they're leaving it to them to make sure all the bases are covered. Companies that don't deal with much personal information may feel that it's not relevant enough to make it a priority, not knowing that they have just as much risk as bankers, retailers, healthcare organizations and insurers.Perhaps the bulk of board directors don't understand cybersecurity well enough to even ask the right questions. In some boardrooms, directors are looking around the room for someone else to come up with a responsible cybersecurity plan.
The reality is that any company with valuable assets is a target. Most of the companies that have had major media attention due to data breaches have been in the limelight because of the risk that comes with breach notification laws. There are thousands of other companies that don't disclose cyber breaches because there's no requirement to do so.
A leading cybersecurity lawyer spoke to public companies at the SEC's Cybersecurity Roundtable in March 2014 and stated, 'I would say that I really can't think of a case ' and we've worked a lot ' where the disclosure thinking or analysis was driven by the securities law issues, frankly.'
In other words, board directors shouldn't wait for the SEC to force action on their part before they become concerned enough about liability. Board directors can be held personally liable for being inactive on the issue of cybersecurity. To date, there has been little litigation over the lack of board oversight. The more that becomes known about cybersecurity, the more likely that is to change. It's possible that a rash of liability suits could ensue in the future if boards don't begin to give the issue more merit. The SEC could also step up at any time and put regulations in place to require stronger oversight.
Why Boards Need a Wake-Up Call on the Issue of Cybersecurity
Cybersecurity is an enterprise-wide risk. The full board needs to gain a greater scope of understanding in this area and they need to form a responsible plan for how to manage it. It's okay to delegate it to a committee, but the board should understand it, too. While the audit committee may be the appropriate committee to handle it, boards should consider the increased obligations they've already recently taken on.There's no question about the severity of cyber risk, and it's the board's job to ask the hard questions of the IT department and get solid answers. Experts and consultants are available to help with customized, independent evaluations and boards need to consider accepting their assistance. Employee education is a big part of creating a cybersecurity-aware culture.
Cybersecurity starts with the board taking its own security seriously. A Diligent board management software program is the first step to ensuring that board communications are secure and confidential. Diligent promotes modern governance in all aspects of board responsibilities, which means that boards are willing to take the most efficient, secure and streamlined approach to their board duties.
