Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







How Can the Board of Directors Increase Their Knowledge of Cybersecurity, Risk and Compliance?

Cybersecurity and business risks have become a significant concern for public companies and their board of directors. 

The board members either need to increase their cybersecurity knowledge and industry focus on risk management framework or recruit members with a comprehensive background, including experience as a Chief Information Security Officer (CISO).

What is the Role of the Board Regarding Cybersecurity Risk Oversight?

“Several well-known companies, such as Yahoo, Google, Facebook, Uber and Equifax, have experienced high-profile data breaches, resulting in corporate crises.”

 

Subsequently, corporate boards now see cybersecurity as critical, along with holding themselves accountable. They are also required to take responsibility for overall cybersecurity risk management.

 

Boards and directors must clearly understand cyber threats, the organization’s risk appetite, and how risk-averse the board will embrace this change.  

 

Traditionally, the board of directors focuses more on being an advisor or providing regulatory compliance oversight. Today’s board needs to take a more direct role in assessing the cybersecurity risk level and overall cybersecurity preparedness and incident response. 

 

A significant component of the SEC 8K reporting requirements states:

 

  • SEC: The SEC requires companies to disclose cybersecurity incidents within four days. They must include their cyber risk management strategy in their annual 8-K instead of the 10-K or 10-Q. Companies must also report the impact of material cybersecurity incidents on their organization.
    • The SEC also requires full disclosure of the role of the board of directors in overseeing and identifying members of the board committees responsible for cybersecurity threats and risks.
    • The SEC requires disclosing any process that defines how the board of directors and the various subcommittees become notified of a cybersecurity threat and the economic risk to investors.
  • DORA & NIS2: Similar to the SEC mandate, DORA & NIS2 also requires reporting a material breach within 24 hours of discovery. The board of directors’ designated subcommittee members forward this report to the EU regulator

Should Compliance-Related Matters Rise to the Managing Board Level?

The legal environment changes constantly, so boards need to stay updated on new regulations. They are responsible for ensuring proper oversight and measures are in place. A lack of oversight could lead to litigation from stakeholders, especially investors.

 

  • “The Delaware Chancery Court ruled in 1996 that directors can be personally liable for not adequately monitoring and supervising the enterprise. Cyber litigation is not limited to lawsuits against companies.”
  • Wyndham Worldwide Corporation’s board was sued for negligence of fiduciary duty in overseeing cyber risk and cybersecurity.”

What is the Role of Outside Consultants for the Board of Directors?

Should the board of directors set aside time and financial resources to engage in a board-level consulting relationship? 

Ultimately, this decision is driven by the board’s culture and development plan, including recruiting new members, developing committees, and accessing resources to assist with critical decisions around governance, risk, and compliance (GRC). These consultant relations should be exclusive to the board of directors only.  

 

EgonZehnder, a global consulting firm that focuses 100% of its practice on supporting the board of directors, has proven this strategy essential. EgonZehnder’s advisor services include:

  • CEO Successions
  • Board Successions 
  • Chair Successions 
  • Subcommittee Selection and Succession
  • Board Review

Board-level consultants understand boards’ needs. Many boards of directors have a high turnover of members for various reasons. Some members serve their terms, and others depart because of conflicts of interest or personal reasons. These consulting firms like EgonZehnder understand this dynamic.

 

As the board develops its charter, including taking on a direct role in cybersecurity and risk, board consultants with experience in cybersecurity offer services to help with this transformation. This transformation may require more extensive recruiting of new members and creating proper subcommittees. For example, including governance risk, oversight for global and federal privacy mandates, and cybersecurity SEC response designated committees to meet this new regulation

Should the Board Move from an Advisor to a Discussion Maker role for Cyber, Risk and Compliance?

Transforming the board’s role required several critical changes to the current structure and charter. 

 

Board members must take a more active role in cybersecurity to meet regulations and provide better oversight. Therefore, this requires more than simply knowing about the protections and phishing results. 

 

Progressing from an advisory role to a more active engagement, the board should consider these essential first steps in this transformation:

 

  1. Develop a common language when addressing the issues around cyber attacks, risk mitigation, and governance matters. This common language needs to become the standard for the board, their subcommittees, the office of the CISO, the office of the Chief Risk Officer (CRO), and the office of the Chief Information Officer (CIO).

  2. Continue to discuss cyber resiliency at the top of mind at the board level. This critical topic requires continuous discussion, planning, and execution, along with not becoming just an annual discussion point. 

  3. Develop relevant and engaging relationships between the board and the CISO. Board members must work to build relationships with cybersecurity leaders within the organization. More than simply inviting CISOs to report to the board is required; it facilitates stronger connections between board members and security executives.

Forging Ahead as an Active Board to Meet Next-Generation Cyber Risk and Compliance Mandates

 

Board members must regularly discuss cybersecurity to stay on top of the continuously changing landscape and become more comfortable and knowledgeable about their organization’s cyber situation. The SEC rules can increase directors’ liability for cybersecurity incidents. The requirement for cybersecurity approval can lead boards to engage independent experts and promote a culture of security.

 

Effective cybersecurity requires strong governance and board leadership. Proposed regulatory changes will increase board oversight and engagement with security officers to improve cybersecurity. Compliance with these rules will help organizations build resilience and reduce risk.

Should you need help or advice at the board level, please contact – Cubic Consulting at https://cubic.consulting. Help involves personal training, risk meeting preparation, cybersecurity strategy review, etc.

RECENT VIDEO POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.