The Cybersecurity Landscape: How Can Boards Oversee Cybersecurity?

By Chris Hetner, Senior Cyber Risk Advisory to the National Association of Corporate Directors (NACD) and member of the Nasdaq Center for Board Excellence’ Risk & Cyber Oversight’ Insights Council with additional insights by Catherine Addona-Peña, Chief Risk Officer at Nasdaq

This is the second blog post of a two-part series that discusses the evolving cybersecurity landscape. Read part one: The Cybersecurity Landscape: What Should the Board Know about Disclosures and Requirements? 

On one hand, technology has helped companies learn more about their target audiences, expand their customer base, improve efficiencies, and innovate. On the other, global interconnectedness, reliance on devices to conduct more and more transactions, and the increasing number of internet-connected things—from cars and appliances to wearables — have exploded the cyber threat surface in size and capacity. 

So far, the market has struggled to view cyber resiliency as a differentiator and to connect the value of cybersecurity preparedness to a company’s bottom line, rendering investments in cybersecurity difficult to justify. The disconnect between cyber risk and business risk might be due to several factors, including the need for literacy on these matters coupled with the qualitative nature of cybersecurity risk assessment. This adds a degree of difficulty to accurately estimating the potential cost/benefit of applying adjustments to a company’s cybersecurity regime. 

Since 2018, Marsh and Microsoft publish an annual Global Cyber Risk Report, which calls out a number of shortcomings in corporate cyber management with a financial impact aspect. In 2022, the report shares that 26% of executives estimate financial losses for cyber risk while only 22% of respondents quantitively measure cyber risk.

An understanding of the risk that any given company is facing is critical. “Boards can prepare for many of the scenarios that seem to unfold today with greater regularity,” said Steve Roycroft, CEO of RANE Network. “It comes down to the operating rhythm of the company and whether preparation, processes, and reporting are woven into the DNA of how the company operates. There are a lot of companies out there who can say, yes, we have access controls in place, and yes, we do training, and yes, we enable a whole laundry list of cyber assessments—but that is not enough. How the company embraces risk as it matures is a critical area for board oversight. It is up to the board to encourage resiliency as part of the DNA of the enterprise.” 

The solution lies in framing cybersecurity as a strategic issue and quantitatively measuring cyber-risk through a financial lens. It is also important to arm boards with information that is meaningful, actionable, and communicates what types of oversight they should lean into. Beyond creating a clearer picture of investments, outcomes, and potential losses, this approach also facilitates the benchmarking of risk mitigation success over time. 

A set of criteria, such as the one provided by the American Institute of CPAs or the Cybersecurity Framework from the National Institute of Standards and Technology (NIST), can help boards be more literate on cyber risk exposure and related business, operational, and financial impacts to make informed decisions around risk transfer, acceptance, and management. The board is ultimately responsible for defining risk tolerance, while executive management oversees and implements policies to manage risk within that tolerance. 

Regardless of risk type, preparedness is key. It is no longer sufficient to only have an incident response plan in place; it needs to be thoroughly practiced to limit exposure and downside. Boards and executive management teams should run scaled tabletop exercises, in which the risk profile of each exercise is gradually increased until failure under a number of different parameters to accurately identify an enterprise’s “tipping points” and determine the level of risk mitigation that teams are comfortable with beyond the minimum regulatory requirements. Another layer is preparing for litigation in the aftermath of cybersecurity breaches as certain stakeholders, including shareholders and the investor community, are holding boards accountable for a perceived lack of oversight. 

Cybersecurity breaches are generally multi-step events that might have reputational and regulatory risks associated with them. Therefore, they should not be underestimated, particularly when considering an environment of global on-demand access, where the fallout of an incident to shareholders and stakeholders is palpable.

Recently, MGM Resorts International experienced a significant cyberattack that it estimates will take $100 million away from its third-quarter earnings. MGM has disclosed that hackers might have secured confidential information, including customers’ social security and passport numbers.

Another example is the SolarWinds’ cyberattack in 2020, rated as one of the most sophisticated and novel security breaches in history. Not only did the attack evade SolarWinds’ detection, but it also compromised over 18,000 companies and high-level government agencies as malicious code was baked into the company’s latest update. 

Once the attack came to light, SolarWinds uplifted its cybersecurity practices, instituting an 11-point mitigation plan, including basic security measures such as Multi-Factor Authentication. The SolarWinds cyberattack highlights the necessity for management and the board to stay vigilant when it comes to cybersecurity and obtain the required expertise. Even when a worst-case cyber-security incident is unavoidable, it creates a spotlight on enterprise cyber risk management, exposing culpable deficiencies even where those were not directly responsible for the breach.

As demonstrated by the SolarWinds example, the increase in “piggyback” dissemination of malicious code as a method of system compromise, including vast data exfiltration, makes disclosure a priority for the system. Therefore, boards should expect disclosure requirements to increase commensurate with risk as more and more systems share underlying infrastructure and, therefore, potential vulnerabilities.

The Board’s Role and Responsibilities

Technology risk management is typically delegated to the Chief Information Officer (CIO) or Chief Technology Officer (CTO), given the perception that managing cybersecurity risk is fundamentally a technical exercise. Cyber discussions at the board level should happen at least two times annually with participation by the CIO, CTO, and other relevant executives. These regular updates will ensure that the board is informed on the nature, impact, and probability of a breach as well as existing mitigation actions. To the extent possible, the processes in place should be assessed through a constant and repeatable set of metrics. 

Consideration should also be given to the role of the Chief People Officer (or equivalent human resources manager) in managing and maintaining a high level of security awareness in the workforce. Regular feedback from staff on how equipped they feel to manage cyber-incidents is a key metric for risk management. Risk management arrangements need to be robust, appropriate for the company, and sufficient to maintain the confidence of all stakeholders—regulators included.

At the end of the day, for boards to effectively oversee risk, they need to play an active role in wrapping risk management into corporate strategy. Boards should have clear knowledge of the critical assets they are protecting for the company to recommend appropriate measures. This is particularly important with the evolution and rise of new technologies. Identifying these assets may not always be clear-cut, so engagement among the board and executive management team is crucial and should lend to more informed decisions. 

As the cyber threat landscape expands and grows in complexity, boards should expect increasing oversight requirements and public pressure on their cyber security regime. Ultimately, no entity will escape the impacts of large-scale cyber incidents, and so success will not be defined by the lack of such incidents but rather by the preparedness for and response to them when they arise. Every company is a target. It will be those boards that have actively and effectively invested in the appropriate risk management strategies, and can demonstrate such to their stakeholders, that will remain competitive.

For more leadership insights and educational resources, join the Nasdaq Center for Board Excellence—a convener of board and executive leaders dedicated to strengthening corporate governance in the boardroom and beyond. Join our community.

The views and opinions expressed herein are the views and opinions of the authors and do not necessarily reflect those of Nasdaq, Inc.