Last week, the Global Network of Director Institutes (“GNDI”), an international network of director institutes promoting good corporate governance, released a paper outlining the overarching principles that should guide decisions made by corporate board members when it comes to cybersecurity oversight.
Recognizing the growing risk cyber threats pose to businesses, the paper aims to provide a high-level roadmap both in terms of approach and the types of questions that corporate boards should be asking. That said, the ultimate goal of any Board’s oversight should be to ensure the organization’s “cyber resiliency” (i.e., the ability of an organization to anticipate, withstand, recover from, and evolve to improve capabilities in the fact of adverse conditions, stresses or attacks) is robust and adapting to emerging cyber threats.
The paper relies on the recommendations made in the Cyber-Risk Oversight Handbook which outlines key principles that should guide a Board’s actions:
- Take a holistic approach - Cybersecurity should not be delegated to and/or be the sole responsibility of the IT department. Instead, cyber risks should be evaluated in the same way an organization assesses physical security of its human and physical assets and the risks associated with their potential compromise. Accordingly, Boards should approach cybersecurity as an enterprise-wide risk management issue.
- Understand the legislative environment - Boards should be mindful of the legal risks posed to the corporation, and potentially to directors on an individual or collective basis – e.g., high-profile attacks may result in lawsuits, including shareholder derivative suits alleging that the organization’s board of directors neglected its fiduciary duty by failing to take sufficient steps to confirm the adequacy of the organization’s protections against breaches of customer data. Accordingly, Boards should maintain records of boardroom discussions related to cyber risks, and determining what to disclose in the event an incident occurs.
- Access expertise and put cybersecurity on the board agenda - Boards should have adequate access to cybersecurity expertise and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. This can be achieved through a combination of recruitment of directors with specific cyber expertise, improving management’s cyber reports to the Board, conducting “deep dive” briefings from third party experts, etc.
- Establish a framework - Boards should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. This can include establishing a cross-organization/departmental cyber-risk management team, empower senior management team to lead the implementation of the framework and measure progress.
- Categorize the risks - Given that total cybersecurity is an unrealistic goal, Boards will need to ensure that the organization’s cyber-risk tolerance is consistent with its strategy and, in turn, its resource allocation. Board-management discussions should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as developing and implementing specific plans associated with each approach.
As a general rule, the Board’s approach to cybersecurity should be no different to any other area of potential or actual risk. Risk appetite/tolerance must be determined, specific risks must be identified and actions must be taken to avoid, mitigate or transfer risk (e.g., through insurance). Cyber risk in particular should be overseen by the entire board and be part of the broader enterprise-wide risk management strategy.
Going forward, we anticipate that Boards will increasingly be called upon to weigh in when it comes to their organization’s cyber resiliency. It will be critical to ensure that not only Boards are armed with critical information, but that their decisions fall within a broader enterprise-wide cyber risk management framework. Steps taken by the Board will contribute significantly in their organization’s ability to effectively deal with cyber threats.