The threat of cyber attacks has reached a level where boards of directors must examine the issue and see where they can be involved in the risk management process. Chief information security officers (CISOs) may be the key to providing the understanding and tools to make that happen.
“There’s a waking up in corporate America that cyber risk is business risk,” said Lisa Davis, founder of Vicinage, a newly created firm that aims to connect CISOs with boards of directors in an advisory capacity.
While boards typically leave the operation of a company up to the management, when things go wrong, directors can be held accountable for a firm’s financial distress. Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar spoke last month on the topic of bringing awareness to boards of their cybersecurity responsibilities.
“Although boards have long been responsible for overseeing multiple aspects of management’s activities, since the financial crisis, there has been an increased focus on what boards of directors are doing to address risk management,” Aguilar said in a speech at the New York Stock Exchange. “Although primary responsibility for risk management has historically belonged to management, the boards are responsible for overseeing that the corporation has established appropriate risk management programs and for overseeing how management implements those programs.”
Board members understand cybersecurity should be on their list of concerns, but few have taken steps to address the issue, according to a recent survey from Eisner Amper, an accounting firm. Concerns over cyber risks rose 10 percent in a year, the survey revealed, as well as highlighted boards’ confusion on the subject.
“The survey’s finding of an increase in concern about cybersecurity/IT risk is not surprising, but when combined with other indicators, it raises many questions about how well-equipped organizations really are to address it. For example, respondents expressed relatively low levels of confidence in management’s knowledge of cybersecurity and related risk,” the survey noted.
The survey revealed that “the perceived level of knowledge of CEOs and CFOs around cybersecurity — and more importantly, social media — leaves an observer with an uneasy feeling about how a response would effectively factor in the fallout from these facets of any crises. Anecdotally, many executives (and board members) readily admit their lack of understanding of new media and cyber issues — two areas in which mere general knowledge can miss the critical nuances necessary for effective strategic and operational decisions.”
Expanding Need
Though she launched Vicinage only a month ago, Davis said she’s “never seen traction in a company like this one,” indicating a real need in the corporate world for CISO expertise.
“This is the time,” she said. ““It could be so invaluable. It is such a critical risk area and it clearly is not understood.”
Aguilar, in his speech, commented, “Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk — and there can be little doubt that cyber-risk also must be considered as part of board’s overall risk oversight.”
Dominic Nessi, chief information officer at Los Angeles World Airports, explained to Advisen that many boards “don’t realize the potential harm to their organization, their corporation or even to themselves on certain cybersecurity risks.”
Boards need to understand that risks of exposing people’s information carry more than a financial risk. It’s difficult to quantify the risk to an organization’s reputation.
“Many companies do not include cybersecurity risk in their overall risk management program until they become educated,” said Nessi. “It’s just so difficult to determine what the ramifications of cybersecurity threats may be.”
Board Approval
For Vicinage’s Davis, boards should be moving toward having CISOs as members. She said she sees some prejudice against that idea, citing comments like, “Well, they have a ‘C’ in their title, but they’re not part of the REAL C-suite” and “Oh, we’d never let a third level exec sit on boards.”
However, CISOs should be able to balance the technical side of the cybersecurity with the risk side.
Nessi told Advisen he hasn’t run into issues with boards of that nature, saying, “I … find that most board members and most corporate managers are reasonable in their approach if you approach cybersecurity in that manner.”
The “right” way for a board to handle cybersecurity risks really depends on the managing structure of the board, Nessi said. The board at LAX is a city organization, responsible for keeping the information of the flying public safe, he noted. Corporations with shareholders, or boards involved in the daily decision-making of an organization, or a more hands-off board – all of these will require different approaches.
At the minimum, all boards should be asking their organizations for annual report from the operational staff on the approach to cybersecurity, Nessi asserted.
“And absolutely, they should either have a board member with a cybersecurity/information technology background or at least have access to an external advisor on cybersecurity,” he added.
“Fascinating” Time
According to Davis, this is a “fascinating time to be in this particular market.”
“I think the temperature among the CISOs is that there are many who are ready to serve [on boards],” she told Advisen.
Nessi warned that board members “don’t respond well to a cybersecurity ‘the sky is falling approach.’” It’s important to educate them on cyber risk with a “well-reasoned approach.” He explained that while he might bring up the case of Target’s data breach fallout, “scare tactics” aren’t usually the way to go.
“The reality is, board members tend to be very intelligent otherwise they would not be on a board,” he said. “They’re going to want to know specifically what is at risk and how to mitigate that risk.”
And the risk, he said, begins with the data.
“You need to know exactly what it is you’re protecting,” Nessi said. “In this business, you talk about defense in depth. You don’t just protect the perimeter of your network. You have to have safeguards throughout your network.”
He advocated for allowing CISOs within an organization to have the authority and flexibility to oversee anything in the organization that could introduce vulnerability, including ensuring that all employees have proper cybersecurity training.
There’s been debate over to whom CISOs should be reporting, whether it is to the chief information officer, the chief executive officer or directly to the board.
“Irrespective of their place in the organization, it’s their authority to independently review everything going on. And have a communication channel that allows them to make their findings known,” Nessi stated. “When you look at your network every day, you see the things that work. And it’s human nature to not see the things that won’t work or are vulnerable. That’s why you need a fresh pair of eyes.”
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
