By Susan Shultz, CEO of The Board Institute, and Jeff Welgan, Head of Executive Training Programs, CyberVista.
It finally happened. Your company was hacked. Your customer data is for sale on the dark web, and, also, it is now publicly available on the Internet. How much does your board know about cyber risk?
Cyber risk has rapidly become one of the most critical challenges facing boards of directors. Despite the potentially disastrous effects of cyber fraud, only 32 percent of public company directors have a high level of knowledge and understanding of their boards’ emerging risks.
According to noted organizational resilience expert, Dan Sharp, principal of The Board Institute, “With disorder and disruption becoming the norm rather than the exception, it’s critical that boards have the skills to help their companies prepare for and manage impending risk.” In fact, the U.S. Securities and Exchange Commission rules now require all public companies to disclose the extent of their boards’ role in the risk oversight of the company.
It is not enough to check the box. Boards must have both the skills to help their companies prepare for and manage impending risk and to make effective risk oversight a priority. In order to address new regulatory pressures, investor demands, innovative competitors and the array of internal and external potential disruptors, boards must have confidence that they are effectively overseeing risk.
The Added Cyber Knowledge Challenge
According to a recent KPMG study, only 8% of directors are satisfied with their readiness to respond to a cyber crisis. What should you do if your board members are in the 92%? Get training and raise the level of this conversation.
According to 2016-2017 NACD Public Company Governance Survey:
- 59% of directors find cyber risk somewhat-to-very challenging to oversee.
- 31% of directors have attended continuing education events on cyber risk within the past year.
- 12% of directors have participated in a test of the company’s cyber response plan within the past year.
While corporate leaders must ensure that their entire staff is equipped with the knowledge and awareness to recognize cybersecurity red flags and develop technical and leadership talent within the organization to keep up with the latest-and-greatest issues, they should not exempt themselves from their own knowledge requirements.
In fact, the cyber knowledge that senior leaders must have to successfully drive cyber resiliency across their organization – and to meet their fiduciary and shareholder responsibilities – far exceeds what anyone could have imagined even a decade ago.
We should not expect directors and officers to understand all the technical details related to cybersecurity.
Instead, we should expect them to have literacy around cyber risk issues, so they can skillfully navigate the grey zone where cyber risk and business risk converge. Beware any false sense of comfort derived by selecting a token cyber expert for the board or executive suite. While having an expert at your disposal is certainly helpful, navigating cyber risk can be complex and should be addressed as a team. You wouldn’t simply have one director or officer who is good at financials on your team – cyber should be treated no differently.
Evaluating Your Readiness: Is Your Board Prepared?
Warren Buffett once said that “it takes 20 years to build a reputation and five minutes to ruin it.” Although cyber risk can certainly cause significant damage to the unprepared, it is a manageable risk area. To ensure your directors, officers, and company at large are prepared to oversee this growing risk area:
- Regularly and objectively evaluate your board and C-suite relative to their ability to oversee, govern and manage a wide-range of risk issues, including cyber risk.
- Implement a cyber risk training program for your board and executive team.
- Identify risk areas and blind spots by implementing a cyber risk dashboard. Evaluate and implement policies and controls to manage and prioritize risk within acceptable tolerance thresholds.
- Maintain your resilience by keeping up-to-date on the latest cyber risk issues and through cyber breach exercises and simulations.
CyberVista and The Board Institute Can Help
Cyber resilient companies have knowledgeable leadership teams that understand the business implications of the nuanced cyber risk issues that affect their strategy, operations, stakeholders, and their bottom line.
TBI Protiviti Board Risk Oversight Meter™ enables boards to confidently understand, oversee and deflect risk. Leveraging years of research, TBI Protiviti Board Risk Oversight Meter™ enables a board to highlight its strengths and limitations through a participative process and insightful reporting of the range of responses, the mean response, best practices, anonymous commentary, and legal and regulatory requirements germane to board risk oversight. It highlights the importance of organizational resiliency and the board’s role in overseeing risk. Directors take ownership of the results using a robust, up-to-date, actionable report.
With CyberVista’s added expertise, cyber risk is now an integral component.
If you want to learn more about how to build and execute a risk management strategy that considers all types of cyber issues, contact CyberVista to schedule a Cyber Resolve training session in your boardroom or C-suite or to learn more about The TBI Protiviti Board Risk Oversight Meter™. We will help you mitigate cyber risk and confidently manage and oversee your cyber strategy.