Cybersecurity and business risks have become a significant concern for public companies and their board of directors.
The board members either need to increase their cybersecurity knowledge and industry focus on risk management framework or recruit members with a comprehensive background, including experience as a Chief Information Security Officer (CISO).
What is the Role of the Board Regarding Cybersecurity Risk Oversight?
“Several well-known companies, such as Yahoo, Google, Facebook, Uber and Equifax, have experienced high-profile data breaches, resulting in corporate crises.”
Subsequently, corporate boards now see cybersecurity as critical, along with holding themselves accountable. They are also required to take responsibility for overall cybersecurity risk management.
Boards and directors must clearly understand cyber threats, the organization’s risk appetite, and how risk-averse the board will embrace this change.
Traditionally, the board of directors focuses more on being an advisor or providing regulatory compliance oversight. Today’s board needs to take a more direct role in assessing the cybersecurity risk level and overall cybersecurity preparedness and incident response.
A significant component of the SEC 8K reporting requirements states:
- SEC: The SEC requires companies to disclose cybersecurity incidents within four days. They must include their cyber risk management strategy in their annual 8-K instead of the 10-K or 10-Q. Companies must also report the impact of material cybersecurity incidents on their organization.
- The SEC also requires full disclosure of the role of the board of directors in overseeing and identifying members of the board committees responsible for cybersecurity threats and risks.
- The SEC requires disclosing any process that defines how the board of directors and the various subcommittees become notified of a cybersecurity threat and the economic risk to investors.
- DORA & NIS2: Similar to the SEC mandate, DORA & NIS2 also requires reporting a material breach within 24 hours of discovery. The board of directors’ designated subcommittee members forward this report to the EU regulator
Should Compliance-Related Matters Rise to the Managing Board Level?
The legal environment changes constantly, so boards need to stay updated on new regulations. They are responsible for ensuring proper oversight and measures are in place. A lack of oversight could lead to litigation from stakeholders, especially investors.
- “The Delaware Chancery Court ruled in 1996 that directors can be personally liable for not adequately monitoring and supervising the enterprise. Cyber litigation is not limited to lawsuits against companies.”
- “ Wyndham Worldwide Corporation’s board was sued for negligence of fiduciary duty in overseeing cyber risk and cybersecurity.”
What is the Role of Outside Consultants for the Board of Directors?
Should the board of directors set aside time and financial resources to engage in a board-level consulting relationship?
Ultimately, this decision is driven by the board’s culture and development plan, including recruiting new members, developing committees, and accessing resources to assist with critical decisions around governance, risk, and compliance (GRC). These consultant relations should be exclusive to the board of directors only.
EgonZehnder, a global consulting firm that focuses 100% of its practice on supporting the board of directors, has proven this strategy essential. EgonZehnder’s advisor services include:
- CEO Successions
- Board Successions
- Chair Successions
- Subcommittee Selection and Succession
- Board Review
Board-level consultants understand boards’ needs. Many boards of directors have a high turnover of members for various reasons. Some members serve their terms, and others depart because of conflicts of interest or personal reasons. These consulting firms like EgonZehnder understand this dynamic.
As the board develops its charter, including taking on a direct role in cybersecurity and risk, board consultants with experience in cybersecurity offer services to help with this transformation. This transformation may require more extensive recruiting of new members and creating proper subcommittees. For example, including governance risk, oversight for global and federal privacy mandates, and cybersecurity SEC response designated committees to meet this new regulation
Should the Board Move from an Advisor to a Discussion Maker role for Cyber, Risk and Compliance?
Transforming the board’s role required several critical changes to the current structure and charter.
Board members must take a more active role in cybersecurity to meet regulations and provide better oversight. Therefore, this requires more than simply knowing about the protections and phishing results.
Progressing from an advisory role to a more active engagement, the board should consider these essential first steps in this transformation:
- Develop a common language when addressing the issues around cyber attacks, risk mitigation, and governance matters. This common language needs to become the standard for the board, their subcommittees, the office of the CISO, the office of the Chief Risk Officer (CRO), and the office of the Chief Information Officer (CIO).
- Continue to discuss cyber resiliency at the top of mind at the board level. This critical topic requires continuous discussion, planning, and execution, along with not becoming just an annual discussion point.
- Develop relevant and engaging relationships between the board and the CISO. Board members must work to build relationships with cybersecurity leaders within the organization. More than simply inviting CISOs to report to the board is required; it facilitates stronger connections between board members and security executives.
Forging Ahead as an Active Board to Meet Next-Generation Cyber Risk and Compliance Mandates
Board members must regularly discuss cybersecurity to stay on top of the continuously changing landscape and become more comfortable and knowledgeable about their organization’s cyber situation. The SEC rules can increase directors’ liability for cybersecurity incidents. The requirement for cybersecurity approval can lead boards to engage independent experts and promote a culture of security.
Effective cybersecurity requires strong governance and board leadership. Proposed regulatory changes will increase board oversight and engagement with security officers to improve cybersecurity. Compliance with these rules will help organizations build resilience and reduce risk.
Should you need help or advice at the board level, please contact – Cubic Consulting at https://cubic.consulting. Help involves personal training, risk meeting preparation, cybersecurity strategy review, etc.
- Who are the Top 10 Ransomware Groups in 2024?
- Do SMEs Need a CISO Amid Rising Cyberattacks?
- What are the Expected Changes and Challenges Regarding Cyber Threat and Risk Management in 2024?
- Executive Board Members Seeking Greater Security Discussion with CISOs
- What is the Python-based Legion Credential Attack?
- Security Standards with Benoit Heyndrickx