Cybersecurity Risk and the Board

According to a survey conducted by Goldsmiths late last year with responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries, more than 90 percent of them said they cannot read a cybersecurity report and are not prepared to handle a major cyber-attack.

At the same time, we know that Boards of Directors are ultimately liable and responsible for the survival of their organizations, and in today’s interconnected world, cyber resilience is big part of that responsibility. That means that Boards must take an active role in cybersecurity.

Businesses of all sizes and stripes are increasingly required to meet strict cyber risk management mandates or face penalties. The tightening regulatory environment has prompted boards of directors to take an increasingly active role in implementing effective cyber risk management programs within their organizations in an effort to mitigate the risk of disruption to their business operations, avoid costly fines and damage to their brand as well as evade significant financial losses.

The increasing regulatory requirements and the combined personal and professional liability risks to C-level and board members are creating inflated risk for management teams who now have increased legal liability for cybersecurity events, yet lack any ability to understand cyber-threat reporting or confidence in their own organization’s ability to prevent business disruption due to a cyber-attack.

Every company that operates internationally and/or provides international guidance by way of consulting to other businesses knows that as of May, the EU General Data Protection Regulation (GDPR) becomes law and significantly expands the scope and enforceability of the EU’s data privacy regime. Businesses are required to inventory all personal data, incorporate risk-based cybersecurity measures and report any data breach to the supervisory authority within 72 hours. Non-compliant organizations may be fined up to four per cent of annual global revenue or €20million (whichever is greater).

Similarly, in the US, the New York Department of Financial Services (NYDFS) recently issued a first-of-its-kind cyber regulation impacting all New York-regulated financial institutions. The NYDFS regulation mandates the implementation of a risk-based cyber risk management program, the appointment of an individual to oversee the program and, in an unprecedented step this ground-breaking regulation holds company board members and senior officers personally liable for annual compliance certification.

This legislation was quickly followed by the SHIELD act, aka the New York Data Security Act which will require all companies that hold sensitive data of New Yorkers to adopt administrative, technical, and physical safeguards for that data, similar to the GDPR, regardless of the industrial sector in which they find themselves (not just Financial institutions).

And immediately following the Equifax breach, congress created The FREE act (Freedom from Equifax Exploitation) creating a federal requirement for credit reporting agencies to freeze access to credit files at a consumer's request, to give control over credit and personal information back to consumers, prevent credit reporting agencies from profiting off of consumers' information during a freeze, and enhance fraud alert protections. There will be many more laws following these at both the individual state and federal levels throughout the remainder of this year.

What is puzzling in light of these regulations and the shifting personable liability for cybersecurity breaches is why boards continue to remain so clueless regarding what is clearly the number one threat to all businesses today.

We all know and accept the fact that cyber-attacks are one of the top three threats (if not the top one threat) to all businesses today and Warren Buffet described cyber-crime as the greatest threat to mankind at his annual Berkshire-Hathaway shareholder's conference. Yet, fewer than half of board members surveyed claim to have any visibility within their organizations as to the prioritization, identification or development of solutions to protect their company’s critical digital assets.

So, why aren’t boards responding to this threat by throwing (investing) whatever amount of money that is required at the problem until it is fixed?

If we look at financial corporate governance, we see that the challenge of investing is compounded by the fact that our brains (which excel at resolving ambiguity in the face of a threat) are less well equipped to navigate the long term with the same degree of intellectual agility. Since none of us can predict the future, successful investing relies on careful planning and continual discipline along with factual, quantitative data that can be used to support risk decisions.

In order to make a decision about risk, it is necessary to understand the costs associated with doing nothing and maintaining the status quo or in investing in hedges against the risk. In cybersecurity, it is common to refer to risk in qualitative terms, but in real life, risk decisions are actually based on quantitative terms. Deciding to visit Paris is influenced not by the color-coded travel advisories issued by the State department but rather by the current death count resulting from terrorist attacks throughout France.

Similarly, gamblers may make what appear to be ill-informed risk decisions on a roll of the dice, but they actually control one of the key risk factors involved and that is the amount of money they are willing to wager, so there is always an element of quantitative assessment involved in the gamble. If the wager is $20, they know that $20 is the amount they may lose if things go poorly.

Board members do not have similar luxuries as they have no idea what amount of money is at stake in the cybersecurity arena and they have only the faintest idea about what all of the technological prevention and protection approaches actually do.

So, given that context, it may be easier to understand why Board-level executives appear so reluctant to move toward greater protection against a cyber-attack. It is not due to a lack of urgency or a failure to understand the potential consequences. They are undoubtedly clear that their enterprise will be hit with a cyber-breach one day and that some amount of damages will result. They simply do not know what that amount might be.

The fines outlined by the GDPR and other regulatory agencies will certainly help define the failure of non-compliance in specific and quantified monetary terms, but compliance does not equal risk-assurance. All organizations need the ability to align risk with strategy and make decisions based on the need to deliver value while protecting the enterprise.

Until CIOs and CISOs begin measuring and reporting cyber-risk in those same monetary terms, boards will continue to be reluctant to invest in any programs that are designed to reduce cyber-risk with vaguely defined results just as they would be expected to reject proposals for investments in other asset gambling initiatives where the outcomes cannot be quantified.

Compliance risk is one thing and it is both known and containable.

An Equifax-class loss is another thing entirely and defining that sort of risk in terms a board can understand is not just necessary in terms of corporate governance, but it is increasingly essential to corporate and individual survivability in a cyber-era of rapidly expanding unknowns.