Strengthening cyber oversight

Intro/Outro: Welcome to the Corporate Director Podcast, where we discuss the experiences and ideas behind what's working in corporate board governance in our digital tech field world. Here you'll discover new insights from corporate leaders and governance researchers with compelling stories about corporate governance, strategy, board culture, risk management.

Digital transformation and more.

Dottie Schindlinger: Hi everybody and welcome back to the Corporate Director Podcast, the voice of modern governance. My name is Dottie Schindlinger, executive Director of The Diligent Institute, and I'm joined once again by my amazing co-host Meghan Day strategy leader here at Diligent. Meghan, how are you doing today?

Meghan Day: Hey, I am doing great. Dottie, You know there's a little chill in the air. The leaves are turning. And you know what that means? It's the start of cybersecurity awareness month.

Dottie Schindlinger:It's just what I was thinking, Meghan. Oh, cybersecurity. if only we could move on from this topic. But sadly, no. We will never be able to move on from this topic because it continues to be a thorn in all of our sides.

But honestly, Meghan, I was just doing a little, a little quick. check to see, all right, what's going on in cybersecurity? We know it's always a big deal, and here's the thing, it is still just such a big problem. I was just looking at, I don't know if you heard about this story that happened, over the weekend, but there was a hack that happened on, it looks like a ransomware attack that happened on this company called, RTX, or excuse me, Collins Aerospace, which owns RTX.

They're having ransomware attack and it has impacted dozens of flights all across the eu, London, other parts of the eu. Because it impacts the system that controls, baggage handling, as well as gate assignments. And soit's just causing chaos and it's a ransomware attack. I mean, we have been talking about ransomware for easily the past decade, and we all know ransomware tends to start when someone clicks on an infected attachment on an email.

That's the most common pathway. It's not the only pathway, but it's the most common pathway. And it's like. Really? Are we still dealing with ransomware? The answer is sadly yes. It is still a major issue. You know, I think we, the humans are still the weakest part of the cybersecurity infrastructure. Well, I think it's only fair 'cause we are.

Meghan Day: We are only human after all, as the lyrics like to say, but I think until technology can catch up and tell us when something bad is trying to happen to us, I don't know how we get ahead of this, but you're, you're right, Sadie. This is, I do come back to my previous point about we celebrate the things that we completely continue to overlook.

Dottie Schindlinger: to your point, so I just, I found another story that I thought was, worth giving a little attention to, and that is, I dunno if you've been hearing what is happening with JLR and so Jaguar Land Rover, if you're not familiar with the JLR acronym, they have had a major cyber incident that has been going on for weeks at this point.

it started in late August, they realized that something was very wrong and by the Monday after they found this thing. They've had to shut down most of their factories. they have not been able to produce in factories across the uk, Slovakia, Brazil, and India For weeks Now it's costing them hundreds of millions of pounds.

it's a major deal and they're still trying to diagnose what's going on and what's the cause, what's going on here. But one of the things that is true is that they had outsourced most of their cybersecurity. And so there wasn't really. Maybe quite enough oversight happening inside the company.

It's not to say that outsourcing is always a bad idea, but this is so critical to infrastructure. Maybe it's not the thing to outsource, certainly get external help, get, professional help when you need it, but completely outsourcing. Again, we don't really know all the details yet, so lots more to come on this story.

It's an ongoing situation, but honestlyit's like, when are we gonna get this right, Meghan? It, it just is such a perennial issue. It really requires boards and leadership teams to spend time thinking about it, planning for it, asking the right questions, having the right conversations. You can't take your eye off this ball

Meghan Day: But also, it has to be just naturally integrated into every conversation. That's the only way you're gonna be really able to get your arms around it. It becomes just another dimension of risk management in everything you're discussing around the board table.

Dottie Schindlinger: Well, Meghan, that's a good segue for us to play the interview that we had with Catie Hall, who's the director at PWCs Governance Insight Center and focuses on cybersecurity. We had a chance to speak with her about, you know, what's happening in boardrooms around cyber risk and how they can think about this differently.

Solet's give that interview a listen.

Meghan Day: Joining us on the Corporate Director podcast today is Catie Hall, director at PWCs Governance Insights Center. Catie, thanks for joining us. Thanks, Meghan. I'm glad to be here with us today. Well, I'm excited to have you on the show to help us kick off Cybersecurity Awareness Month. Big month. I know. Yes, it's, but before we dive into the topics associated with that, could you introduce yourself and share a bit about your role at pwc and the work you do with the Governance Insight Center?

Catie Hall: Of course, happy to. So, as you mentioned, I'm part of a group at PDBC called the Governance Insights Center, and we spend our full time talking to corporate executives, public, private companies across sectors, as well as, executives, and investors and other governance stakeholders about a variety of topics.

because the landscape is constantly changing and it stays interesting and keeps us on our tails.

Meghan Day: That must, put you in a fascinating vantage point, I think, especially given how quickly the world of the board of directors and executive management is changing, and particularly as it relates to cyber.

So let's definitely start there. So, as we know, cyber oversight really transformed in the last couple of years, especially with, the now new-ish kind of getting a little old SEC disclosure requirements. But in general, this. Sense of increasing board accountability. So from your perspective, what kind of cybersecurity reporting is actually most effective for boards today?

And where do you see boards struggling to maybe get the clarity or depth that they need?

Catie Hall:It's a great question and I'm with you. I had to stop referring to them as new because it's been a few years now. And I should have also mentioned that part of my role in, in my group is I spent several years leading up to 2023 and now post 2023 talking specifically about fiber with, with boards.

And soI'll bring that perspective today into the conversation. This was a big topic of conversation, this being cyber reporting. Leading up to disclosure, you know, disclosure, readiness, disclosure, effectiveness. And it still continues to be very top of mind. Anytime I'm talking about fiber with boards or with CISOs from CISOs.

What should we be giving the board from boards? What should we be getting from management? And there continues to be this disconnect. And when I think about why, it's just, it's a hugely technical, complex topic that is. Fast moving and evolving, and it's hard to get your arms around, particularly if you're a director and you have to be a specialist in many things in your role of oversight.

So in terms of what works best, unfortunately this. It's one of those areas where there's not a one size fits all. And I think that's the disappointing answer that I have to give sometimes when I get asked. Do you have a template? Do you have, this master guide to what I should be providing the board?

No, no, I don't, unfortunately. But, I think what boards need and what they're getting to the point of asking for, or I guess getting around to now, now that we're a couple of years into disclosure, effectiveness is that. They need decision useful information. They need not just a data dump of metrics.

And sometimes what CISOs will tell us is that they're giving metrics based on what data they actually have available, whether or notthat's the data that'sactually meaningful. So to me, it's the board's responsibility to go to the CISO and say, well, what's important to you ciso? What are you looking at to understand the risk to the organization and how the organization is managing that risk effectively or not So.

Looking at a handful of really decision useful metrics, I think is a place to start understanding. Incident response within the organization as well as any pertinent incidents that have happened outside the organization and above all, tying everything back to a business unit level risk because the board is thinking about things at the risk level and management is thinking about things at the risk level outside of the, the CISO and enough of the CISO isn't.

But that'sa different way I think of looking at it. Other things that you would particularly. Or typically see that rather, assessment against a recognized framework. You've got nist, CS, F, we've got 2.0 coming, that's going to have a has a governed piece of it. It's really focused on the board.

There might be top risks to the organization. Again, nothing that's really out of the ordinary, but I think being thoughtful about curating the right information. If you're in the director's seat, asking the CISO what they think is helpful. And constantly evolving what that reporting looks like.

Meghan Day:Yeah. That tension between technical detail and strategic and business relevance definitely seems to be a recurring challenge.

Which I think brings me to my next question. I'd love your take on, and that's about how boards should be thinking about director level cyber expertise. I mean, is it realistic or, or even necessary for boards to have a cyber expert?

Catie Hall: Great question again, and this is one where the conversation has been all over the map.

So back in 2022, there was a bit of a scramble when the SEC had proposed, including disclosure of cyber expertise on the board. And there was a revisiting of skills matrices and proxies and, oh, does this person actually have cyber experience or not? And so we saw numbers dip dramatically. This conversation also.

Still ongoing. Even as last week I was having a conversation about this with an audit committee. It just depend, it depends on your company's risk profile, the industry, the strategic direction of the organization. It may very well make sense for you to have a former CCO or C-I-O-C-T-O, someone with that executive technical experience on your board.

I still think it's important that they have a broad business acumen. Are not so narrowly focused on one specific area. I think that continues to be defense of the argument. For a cyber expert on the board. But I see it happening, not a lot, but I do see companies adding some of those executives.

I still think even if you do, the board has a fiduciary duty to understand the topics they're overseeing. And sothere's a fundamental question of how are we upskilling? So some of that is from the CISO and through the education that they're providing, through their recurring board materials and maybe annual deep dives.

Part of it is. Accessing other third party advisors that can help the board think through specific incidents or events as well as just broad education. There's conferences, there's certifications, there's so many other things that they can do as well. But I think there are different tools in the tool belt.

Meghan Day:Yeah. Absolutely. And a lot of it does come down to your organization and, and from the board itself, knowing what, not necessarily what questions to ask, but how you ask them what your, ultimate objective is and what you're trying to glean from the conversations you're having with the CISO and other internal members of management, as you mentioned before.

Catie Hall: Yes. As well, because it's important not just. To know what the right questions are, because any of us could go and ask what questions should I be asking. But it's important that you have the foundational context in which to challenge the response you get and that thing. So as it is probably for you or I, we have to continuously upskill ourselves on these topics in which we are not trained professionals.

So.

Meghan Day: Absolutely. Well, shifting gears slightly, let's talk about when a cyber incident actually happens, because as we all know, as the other experts like to say, it's not a matter of if, when, so what could cyber incidents readiness look like at the board level?what should directors be doing right now before an incident to make sure they're prepared to respond effectively?

Catie Hall: Well, the good news here is that we know boards and management teams are getting the memo when it comes to testing their resiliency and their readiness plans. Our annual corporate director survey this year highlighted that 81% of directors said their companies are performing tabletop exercises when it comes to cyber, so that'sa great news.

But I, I sound like the bearer of bad news with everything I answer here. It's one thing there, are lots of other actions that the board should be taking even on a quarterly basis in their conversation with the ciso, but also with broader, the broader management team is understanding, have has management identified the critical and interdependent systems and processes, what actions would need to be taken.

If any of those were disrupted, what is the communication plan? All of these various things are areas that the board is gonnawanna get comfortable with and not just when they're going through a tabletop incident. making sure you, again, you've got that document tested plan that, particularly now post SC disclosure, effectiveness, that there is a process and a team.

If an event happens, not just that you, your operational side, can get back to business, but also that you have your disclosure and your breach notification process underway and your materiality evaluation and all of that good stuff. So looking at that, understanding that and testing that too is hugely helpful.

Meghan Day:That's great. and that though is harder to do when the threat landscape keeps shifting. So I wanna talk a little bit about what's next. You know, where do you see the next wave of cyber risk coming from, whether it's ai, geopolitical tensions, supply chain vulnerabilities, how should boards be preparing for.

A vast amount of change on the horizon.

Catie Hall: Right. And I was gonna say, there'sprobably something that you and I don't even know about. That's the, oh, there, there definitely is. as a former risk professional, I can say there's always something to talk about here, you know, in terms of the conversations that we're having.

Definitely AI is coming up quite a bit in terms of, yes, the risk, also the strategic and opportunity side of it, but a lot around the risk. Third party continues. This is something that's been around the last several years, I think continues to become top of mind for directors and for management teams. As you think about.

Not just who your third parties are, but how are they using their data, your data? How are they using AI with your data? I mean, there's just so many, scenarios to work through there. And that's not just an IT issue. That's legal, that's cross loss. Other things, supply chains, certainly with, you know, the events of the last couple of years, supply chain is top of mind and.

To me, the place the board can start there. Again, not needing to be the expert on all things risk or technology is ask your ciso, ask other members, what are we not talking about? What's not showing up on the risk radar right now? How do we think about what's around the, the corner? If it's ai, if it's quantum computing, what is going to be the thing that we need to be focused on and how are we prepared for when said risk starts to materialize?

Meghan Day: If the board wanted to do one thing differently or take one concrete step over the next year to strengthen their cyber oversight, what would you recommend? I'mgonna sound like a broken record,

Catie Hall: although I don't think I've mentioned it that many times. Education upskilling. There's some other things too that I, I would talk about, but even again, going back to our corporate director, survey directors have told us they know that there are areas in one area that, that they.

Feel that they could contribute more to overall board effectiveness. And their role is by upskilling themselves. And again, if you think about all of the topics that are headed their way, broad cyber, but also quantum AI and some others, seeking out education programs within the organization, through your cso, through your C-T-O-C-C-I-O, but also externally to round out their own knowledge is going to be huge.

It's nothing new, and I don't think it's particularly hard. I know everyone has demands on their time, but getting that education is going to be a big piece of it. And I'mgonna add on not just one thing, I'mgonna give two your relationship as a board. Think about how you're investing in your relationship with your ciso.

And when I say ciso, it might be also your CIO or your CTO, depending on the reporting structure. But are you meeting with them outside of regularly scheduled board or audit committee meetings? I think of it similar to I, how I would think about a CAE or maybe an external audit partner. You want to be able to pick up the phone and ask your CISO anything.

I was with a group of CISOs yesterday, in fact, and many of them were describing the relationship that they have with their audit committee chair is one of, we see an event in the news. We pick up the phone, we call the chair, we talk about it, we talk about what we're doing.So you wanna have that direct line.

That is not just, limited to your quarterly in-person meetings. So relationships and education.

Meghan Day: Love that. And I, I wanna pull on a thread that, you hinted at before, and that's about how broader parts of the organization are getting involved in cyber readiness and response, not just the CISOs office.

Whatcha seeing there? And, and what kinds of questions should directors be asking to ensure that this type of cross-functional engagement is happening?

Catie Hall: Absolutely, and this is again, something that has come up in conversation with CISOs is that cyber is not just an IT issue. AI is not just an IT issue.

There's a big piece of it that sits with technology with security, but it is a cross-functional risk and cross-functional responsibility to manage. So if I think about some of the different stakeholders, the CFO. And probably your corporate secretary or your gc, maybe ir, what do our disclosures look like?

Are they investor grade? Could we provide more information there? internal audit. How are we thinking about cyber as part of the annual audit plan and not just the SOX related financial reporting controls? How are we thinking about looking at different areas of cyber risk? Thinking about AI and going even into the incident response program.

Are they looking at that? Are they testing how often that's updated and, and tested and all that stuff. And then I think. Tying it back to the business unit level, asking business unit leaders or whatever the structure of a company looks like. How are you thinking about fiber risk in each of your lines of business and your products and your services and your relationships with your third party vendors?

How are you thinking about it? And then maybe back to the GC or to your, contracting group, whoever's working on that. Procurement, that's the word I was looking for here. Procurement group. How. Are they performing due diligence around cyber and controls and expectations when contracting with third parties?

So it really is. I mean, that's just a short sample and you can see it really does cross the business in terms of where we need to be thinking about connecting the dots with risk in the board. 

Meghan Day:That's great. Well, before we wrap up, any final thoughts to leave with our audience of, of directors and executives who are really just trying to stay ahead in this,fast moving and slightly upside down war Lauren, right now?

Catie Hall: Absolutely. I would start with,we've made great strides in the director of community in terms of enhancing cyber oversight practices and. That is wonderful, but we all know it's a constantly changing game here, and to stay ahead of it just requires diligence and awareness and the ability and desire to stay curious here, so keep going the.

There's more to go here.

Meghan Day: Well, let's dive into the questions we ask all of our guests on the show. Sure. The first is, what do you think will be the biggest difference between boardrooms today and 10 years from now? This is gonna be the same answer that everyone says.

Catie Hall: I think it's what's the biggest difference between blank and yes, and 10 years is technology.

Who knows what that's going to look like in the boardroom and how, how technology's use and appearance. Companies are, isgonna have that sort of knock on effect in the boardroom. But I, I'mgonna say technology.

Meghan Day: What was the last thing you read, watched, or listened to that made you think about governance in a new light?

Catie Hall: So, I'm embarrassed to say that I just saw the movie Wall Street for the first time a couple of weeks ago. Oh. And I've been listening to a podcast on private equity and they kept referring to it. I thought, well, maybe it's time I finally. Watch this and wow, if there aren't a lot of, we now have the, the benefit of hindsight and saying this is why all these things are, these regulations are in place, but in terms of insider trading and gatekeeping and risks and incentives, all of that in there.

So I, it's truly now to put my corporate governance hat on and watch it. And think there's all these things happening that are wrong. So it was entertaining. Yeah,

Meghan Day: absolutely. And what's the private equity podcast, if you don't mind me asking?

Catie Hall: I think it's the stuff you should know. there was a podcast rather just about PE and the origins of PE and I just found it really interesting and entertaining.

Meghan Day: Cool. Love that. Well, last but not least, what is your current passion project?

Catie Hall:So this is a random one. I'm on the board of trustees at my local library, and we are currently putting forth a more sustainable funding mechanism, for our library, and we're putting it out for a public vote in a few months.

So I've been doing a lot of work around that effort and public awareness and, and all of that. Very cool. Cool.

Meghan Day:Yeah. Great work. All right. Well, thank you so much, Catie for joining us on the show today.

Catie Hall: Always a pleasure. Thanks

Meghan Day: Meghan.

Dottie Schindlinger: Well, Meghan, thank you so much for that interview. You know, she, she points out the importance of ensuring that you've got good education and good resources available to leaders that are trying to make good decisions around cyber strategy and, I feel like I need to put in a shameless plug here where if you're a diligent customer and you're using our Diligent One platform, you have access to all of our certification programs, including our cyber risk and strategy certification that is designed for board members and senior leadership teams, as well as another program on enterprise risk management.

And both of those programs are just really great at helping you to get that solid grounding of what do you need to know? To make sure that you've got the right, investments in place, you're asking the right questions, you're keeping your eye on the right metrics. you're really providing the right level of oversight on these important issues.

Meghan Day:Yeah, it's, it's, again, to me, this idea, I am, first of all, awesome to see that boards 80%, whatever the statistic was doing, table talks, top exercises. Holy cow, that feels night and day to even where we were five years ago, but. Agreed. I think that will only take you so far, and it just continues for, at least in my mind, bring up questions about nimbleness and responsiveness and the need for flexibility and adaptivity just across organizations in a way that has never taken place before.

And that starts at the board level.

Dottie Schindlinger: For sure. I mean, one of the things I will say is I know when PWC does their research, they're, they're very thorough, but I have a feeling most of those respondents were some of the larger public companies, and so you would expect 81% of them to do regular tabletop exercises. The insidious thing is that those that are most at risk tend not to be the big guys, right?

They tend to be smaller companies, a lot of private companies, a lot of nonprofit organizations, state and local governments, school districts. These poor organizations are at such risk for things like ransomware, for things like, Little, little attacks that come into their system because their system doesn't have the latest technology installed or hasn't been patched in forever, isn't using supported software.

It's that kind of stuff, that basic stuff that we all have to take responsibility for as individual users of systems. And often we go, I'll do that later. How many times have you said, oh, I don'twanna update my iPhone right now, because I don't have time for that and it's on, 20% battery I'll.

I'll get to that, tomorrow, and then tomorrow becomes a week, and then it becomes two weeks. And the truth is, you'rebasically invitingbad things to happen because those patches always come with the latest security, provisions in place. And that's one of the main reasons that you install them, is because you wanna have the latest and greatest security in place.

We're doing all the things. And it's not just the big companies that are at risk. In fact, I really think these days, because it's so easy to mount an attack, it's those that don't have the greatest security in place that are most at risk.

Meghan Day:Yeah. it brings to mind, a recent issue that I heard about that's, unrelated to corporate boards. But, I think an example of how far this has just infiltrated our day-to-day lives, a. Podcaster slash social media influencer that I follow completely unrelated to, to work or or corporate governance or any of the things we do in our day job.

Received an email from a fairly innocuous email address. Stating to be from an agent that works with a very, very popular comedian, and that comedian was a fan of this influencer's work and would love to have her appear on this person's podcast. Let's set up a time to connect. Would you love to have that conversation?

Yes. Okay. Click my, my Calendly scheduler link here and let's get that set up. She does that. Turns out she just handed over her entire computer and infrastructure to a malicious actor. A hundred percent. Something I would call for if I was in that scenario.

Dottie Schindlinger: Well, totally. I mean, I think that's the thing, right?

Like that's, that's a perfect example, Meghan, of how, first of all, I think a lot of the bad actors have gotten really smart at understanding a couple of important things. One is what would motivate us to click on a link? So what? What would we find intriguing enough that we would wanna download something or click on something?

They make it really enticing.That one obviously was a successful one, I think because I spend a lot of time talking about cybersecurity. Meghan, I get, I probably get about 15 of these a day, and some of them are laughably ridiculously awful. I don't know if you've recently been getting the Smishing, we've been getting a huge smishing campaign here in the US right now.

With numbers that come up on our cell phone, clearly not from within the us There's, they're clearly foreign numbers telling us we have a citation with the Department of Motor Vehicles in our state. And if we don't pay it by Tuesday, they'regonna impound our cars. And it's really funny.It'syeah, last time I checked, I don't think the Pennsylvania Department of Motor Vehicles was using a number that's based in, Niger.

SoI'm not sure that this is true. But I mean, so some of them are laughably dumb, but I get a lot that look really. Really real. And I've just, I guess I've gotten to the level of being paranoid enough now. I pretty much don't download or click on anything until I have validated that it was sent by the person who said they sent it.

And so, quite honestly what that means is someone I don't already know, I don't click on anything that they sent me. And so that's just something to know. Like it's, I might be sounding like I need to, walk around with a tinfoil hat on, but honestly. It pays to be a little paranoid because it's so easy to get hacked.

well. So hopefully all of you are celebrating your cybersecurity awareness month of Meghan and I talking about doom and gloom and all the bad things that can happen. Yeah, I do think, they didn't choose October arbitrarily, right? 'cause October is the month we generally associate with spooky things and scary things and cyber risk is pretty scary.

So, boo, go get your cyber house in order. Well, Meghan. That wraps up another episode of the Corporate Director Podcast, the Voice of Modern Governance. We'd like to say a few special thank yous, first and foremost to our cybersecurity expert, Catie Hall from PWC Podcast, producers Kira Cicarelli, Steve Clayton and Laura Klein, our sponsors PwC, KPMG, Wilson Sonsini and Meridian Compensation Partners, and most especially, thank you to Diligent. If you like our show, please be sure to give us a rating on your podcast Player of Choice five Stars only, please. You can also listen to our episodes and see more from The Diligent Institute by going to diligent.com/resources.

Thank you so much for listening.

Intro/Outro:You've been listening to the Corporate Director Podcast. To ensure that you never miss an episode, subscribe to the show in your favorite podcast player. If you'd like to learn more about corporate governance and tools to help directors do their job better, visit www.diligent.com.

Thank you so much for listening. Until next time.