To prevent costly breaches, the authority and responsibility for cybersecurity should rest directly with corporate boards.
Cyber-attacks have become increasingly common over the past few years and have occurred at companies such as Equifax, Capital One and Sony. These attacks can affect both brand and shareholder value. They also can result in hefty settlements; Equifax agreed to pay $700 million for damages related to its cybersecurity breach. Breaches also can result in the loss of trade secrets and intellectual property.
On the other hand, Forbes magazine quotes MIT research which indicates that companies with digitally savvy boards have 17 percent higher profit margins, greater market capitalization and a better return on assets than those companies that lack digital expertise.
According to Marius Nel with 360 Smart Networks in Atlanta, “the authority and responsibility for cybersecurity should start at the top — with the corporate board. This will raise the profile of cybersecurity issues and help decrease the odds of a cybersecurity breach.”
Board-level authority for cybersecurity can be accomplished in several ways. Cybersecurity could become the responsibility of the whole board or the responsibility could be vested in one key member. A board-level committee could complement both approaches.
Cybersecurity could be made the responsibility of the full board by appointing an expert to regularly report directly to the board, rather than having the expert report to the CEO. This also can be combined with creating a technology/cybersecurity board committee to implement strategy and to build risk-management skills among other board members. Creating a board-level committee focusing exclusively on cybersecurity issues can be a more effective strategy than referring these issues to an audit or compliance committee, which would have many priorities and lack the specific skills.
Effective cybersecurity programs are complex and far-reaching, particularly when changes are needed to increase security. Having the backing of a senior sponsor increases the likelihood of success. In determining which board member will take this responsibility, a company would consider the level of technical training and operational training. To ensure effectiveness, compensation (stock and pay) should be tied to performance. A technology/cybersecurity committee also could be implemented with this approach. In this case, the committee reports directly to the board member who is responsible for cybersecurity.
Boards also should follow several best practices to improve their company’s cybersecurity.
- Follow the same business judgment rules for cybersecurity issues as they do when evaluating other risks. That means board members must educate themselves about the requirements in the countries and industries in which the company does business.
- Include a cybersecurity update at every board meeting. This report will include capabilities and risks, show patterns over time, and benchmarking against peers. It also should include aggregate information on the threats that were blocked. The board should consider cybersecurity risks in all discussions of new business initiatives.
- Ensure that adequate policies are in place and that committees or departments have sufficient resources to function properly. Ensure the company has the skills needed, both on staff and through consultants.
- Provide information in its shareholder reports about how the company manages its cybersecurity risks. Disclose breaches to investors promptly. These practices are included in updated guidance for public companies issued by the SEC.
- Conduct a business continuity risk assessment from the perspective of cybersecurity.
- Seek to recruit board members with a diverse mix of digital skills.