Cyber Risk Oversight:
Strategies For Boards
The CEO role is changing and arguably continues to evolve as new digital technology innovations lead to changing customer and stakeholder behaviors. The CEO’s digital vision says a lot about the direction of the organization.
"It's Not What You Look At That Matters, It's What You See.” ~ Henry David Thoreau.
The failure of Enron’s board of directors to provide effective financial oversight was one of the cases that motivated the need for increased board oversight of organizations. Now board directors don’t just “look” at an organization’s financial statement but they try to “see” what’s really going on behind the numbers. They try to interpret and perceive what the financials are really saying and they take their oversight responsibility seriously. In a way, the Enron case expresses the spirit of the quote above, it’s really not what we look at (observe) that matters but what we see (interpret and perceive) that counts.
When it comes to cyber risks, we see a similar scenario to the Enron case playing out. But instead of financial risks and complexity, it’s about cyber risks and complexity. The failure of organizations to detect and respond effectively to cyber risks and their associated impacts have motivated and continues to motivate the need for increased board oversight of cyber risks. There’s increased pressure from regulators (SEC, State Govt, Agencies, etc) calling for more board oversight of cyber risks. But before boards can exercise effective oversight, they must understand the real problem and not just symptoms of the problem that show up as business impacts (e.g. Change Healthcare $872M according to Q1 earnings report and MGM data breach $100M in business disruptions according to a 60-minute report)
The problem posed by cyber risks is very complex and it’s a moving target of sorts, there’s no easy button and there’s no two-day Amazon prime delivery option that will deliver impenetrable cyber security for all cyber risks. And you can’t just throw more money at the problem either (UHG spends $300M on cyber security), because there are other dimensions to the adaptive challenge including time, technology innovations, people, culture and leadership dimensions. One other dimension to this growing problem that’s worth mentioning is the possibility, indeed high probability, of proxy firms using poor oversight of cyber risks to initiate a proxy fight with the board and management of public firms. Both ISS and Glass Lewis have both included cyber elements to their guidelines.
So, what to do? There is no one solution that fits all companies and/or situations. Having said that, there are three practical strategic steps that boards can take if they choose to exercise effective cyber oversight. They are:
Define and Diagnose cyber oversight needs and commitment. Optimal Cyber Oversight: Establish alignment on the level of optimal cyber oversight. Define Oversight Context
Assess effectiveness of current cyber oversight and governance. Cyber Governance Assessment: Assess the board’s cyber oversight practices, structure, expertise and guiding principles/policies.
Determine and Develop Board Cyber Competency: Develop the board’s strategic approach to gaining and maintaining access to cyber expertise.
Cyber Impact Analysis: Request an impact analysis of material cyber incidents from management.
1. Define & Diagnose Cyber Oversight Needs
Why is a definition of cyber oversight needs required? Sometimes, board directors may not have a clear and common/shared understanding of what they really need in terms of effective oversight. Other times, boards make assumptions about what they need that turn out to be flawed in some respect. For instance, board directors may make the assumption that they need to add a new director with cyber expertise given the steady string of cyber attacks. Everyone agrees to onboard a director with cyber expertise. This is great!
There’s only one problem, the board rarely, if ever, includes cyber-related topics on their board meeting agendas. Or they may allocate 15-20 minutes of a board meeting to cyber once a year. It sounds simple but we’ve seen this time and again. This is similar to getting an expert personal fitness trainer without making the time to meet with him/her. If you don’t make the time, you can’t possibly get the benefit.
A definition of cyber oversight needs helps boards identify a complete set of needs that work together to improve or enhance their cyber oversight effectiveness. More importantly, it facilitates board alignment on the following principal dimensions of cyber oversight needs:
Commitment - the level of commitment to cyber oversight
Time - both board time and committee time as needed
Expertise/Competency - ongoing development of cyber competency for the board and/or committee members
Practices - cyber governance practices
Determining the right amount and level of cyber oversight is vital and foundational to all of the other actionable strategies for effective cyber governance by the board. How much cyber oversight is actually needed and to what end or strategic direction? In some cases, the organization’s strategic direction calls primarily for satisfying regulatory compliance requirements with little reliance on technology solutions. But in other cases, the strategic direction may call for an acquisitions-growth strategy with heavy reliance on digital and technology solutions.
These two examples require two different levels of cyber oversight. In the first case, oversight in service of regulatory compliance may be the optimal level but in the second case, more oversight may be required; a deeper optimal level that prioritizes commitment and that goes beyond compliance may be best. As expected, a mis-match of oversight levels and organizational strategy will cause additional challenges.
Too much oversight (when little is required) becomes an unnecessary burden on management and too little (when more is required) may result in preventable intrusions, poor incident response, compliance violations and legal penalties. Adopting the Goldilocks principle is the best approach here, as you want the level of cyber oversight to be just right. Herein lies the strategic challenge, what’s just right for a corporation like Microsoft is different from what’s just right for McDonald’s and that’s also different for United Airlines and MasterCard. To help address this challenge of determining the right level of cyber oversight, we’ve included important considerations that will inform your board cyber oversight strategy and governance function:
Dependence on digital and information technology and its role in the strategic direction of the organization
Criticality of the organization and business function. For example, is the organization’s operations considered critical infrastructure?
Quantity of business partnerships and collaborations - Value chain and supply chain partnerships
Long and short term organizational priorities
Risk profile New revenue-creation opportunities
There are at least two approaches to this problem. The first is a shorter-term focus on providing some level of oversight in the absence of any oversight. If this is wehre you are, then the guideline document may be of value to you. It provides key questions to ask of management and potential responses. It also offers a high level view of what basic and advanced oversight looks like as compared to poor oversight. This guide may help you get started on your cyber oversight journey. Cyber Oversight Essentials
2. Cyber Governance Assessment
Cyber Governance Assessment: Assess the board’s cyber oversight practices, structure, expertise and guiding principles/policies.
Oversight of cyber risk can be complex and involves several moving parts. For example, third-party risks, employees, business disruption and ransomware attacks and on and on it goes, data privacy, AI risks, etc. Therefore, it is important that boards get a good sense of the structural components required to provide effective oversight in the midst of the complexity
It’s not enough to ask management for an update on the top cyber risks facing the organization and corresponding mitigation strategies (or mitigation strategies employed) every quarter. To be sure, doing that is better than not doing so. However, more is needed given the rising frequency and sophistication of cyber-attacks across all industries and sectors. But what does “more” look like and why?
Well, to provide a balanced comprehensive response, we would have to take a look at some of the structural elements of cyber board oversight and governance to understand the specific things and practices that may be needed or those that may require improvements and enhancements or those that need to be retired. That’s the essential value of conducting a cyber governance assessment of the board. If the right internal expertise exists, a cyber governance self-assessment may be possible. But typically, the board is likely to get more value from an assessment that’s conducted by an external independent party such as a consulting firm or independent consultant. In either case, a robust cyber governance assessment provides a good pulse of the effectiveness of the cyber oversight function of the board. Such a governance assessment should include the following elements:
Board composition: In addition to the typical analysis of board size, demographic diversity, skills matrix that are part of a standard board assessment, the cyber governance assessment adds the mindset value dimension when evaluating board composition. This mindset value dimension is crucial as it looks at director’s willingness to learn and to focus on long term vs short term outcomes. It used to be that directors could rely solely on their decades of experience and expertise and offer valued contributions in the boardroom. And while that is still very valuable and should not be discounted, it’s more crucial in the VUCA world to have an insatiable appetite for learning because the strategic challenges and opportunities are ever changing. It should also provide specific strategies for gaining the needed cyber expertise. For more on board composition, see here. The bottom line is you may need to add board members that have these mindset and expertise qualities as you position yourself for the future.
Governance Structure: Given the multiplicity of topics and issues that boards and audit committees have to address, it’s becoming increasingly difficult to keep adding items to existing committee structures without sacrificing effectiveness in oversight. The depth of strategic discussions diminishes as existing committees have more items to get through in the allotted time and tend to spread their time across many more items. It’s the peanut butter effect. Hence, identifying and developing a modified committee structure and associated focus and objectives and charters may be beneficial. Reviewing existing structures to assess if they’re effectively exercising the cyber oversight and governance function is incredibly beneficial.
Decision-Making: Another crucial assessment item is the decision-making process. This is especially crucial in the area of materiality of cyber incidents for public companies given the SEC cyber rules. But it also goes beyond that to include accountability measures, the risk appetite thresholds for certain decisions (e.g. what risks require board-level visibility and discussion and when) full board and/or committee. Resource allocation strategy
Strategic Alignment: How do board activities on cyber support or detract from business strategic priorities (e.g. M&As, global expansion, etc.). Additionally, is there sufficient alignment of cyber board activities with other governance functions including compliance, ethics, legal and broader enterprise risk. Also, the cyber opportunity lens oversight by the board should not be overlooked during the evaluation of strategic alignment. Cyber as a strategic asset.
Board Meetings, Dynamics & Development: Given the risk profile of an organization, review the frequency of cyber topics on the board agenda, the information that’s presented to the board or committees, including the delivery and the real engagement of directors with cyber/tech topics and potential inhibitors to full engagement. Board development philosophy and practices should be assess as well to ensure directors are up to speed on the most relevant risks and technology innovations.
3. Board Cyber Expertise
Board Cyber Expertise: Develop the board’s strategic approach to gaining and maintaining access to cyber expertise.
A vital element of board governance and cyber oversight is the composition of the board in terms of skills and expertise and operating experience. Why? The effectiveness of cyber oversight will largely depend on having the right skills in the boardroom and at the board table. There are three principal approaches and/or dimensions to bringing effective cyber skills into the boardroom:
Dedicated Expertise: This is essentially onboarding a new cyber director to help with cyber-related board topics. The new director is expected to join the board and offer their expertise in a dedicated fashion as a full active board member as opposed to on-demand expertise (see below). This is the dimension that is most often considered by larger organizations with potentially significant digital impacts and opportunities. The boards of such organizations may also be large enough to accommodate bring in a new board director; one who has some depth of cyber operating experience
There are some challenges you should anticipate or plan to overcome if you go down this path. Things to watch out for in the recruitment of cyber board members:
· Foundational: Relevant cyber operating experience and expertise. CISO or equivalent typically will meet this requirement
· Governance: Independence, courage, independence of thinking, unpopular perspectives and uncomfortable questions
· Leadership – proactive and not taking orders but anticipates and leads, not reactive.
· Communication: translates effectively
· Business Acumen – strategy
· Broader Experience: Technology, digital,
Developed Expertise: Given constraints that may be facing an organization, this option to develop the cyber expertise and literacy of the full board may be very beneficial and can serve as an alternative to the dedicated dimension or as a supplemental additive to increase the collective cyber awareness in the board room. Considerations for this option include:
There are a few options to help with developing board expertise and depending on the risk profile of the organization, one or all of these options may be beneficial.
Formal Cyber Board Training
Crisis simulation and experiential exercises
Custom learning clinics – teaching and learning , updates and refresh knowledge
Board mentorship
Not to make you an expert but to give you the fundamentals of cyber oversight
Formal Cyber Board Training: This option provides some cyber governance fundamentals for directors. It usually lasts a couple of days using an instructor-led format (either virtual or in-person). The instructor focuses on cyber board governance topics and communicates at the right level for directors. It’s not mean to make board members cyber experts but to provide a foundational level of cyber governance practices and principles. It typically won’t provide the depth of applied understanding that a simulation exercise offers and won’t be specific to your situation or environment but it’ll give you the basics.
Additionally, you may get a certificate that signals that you’re a director with cyber expertise. This can be useful for the organization as it communicates to investors and stakeholders that the organization is taking cyber risks and security seriously or at least, seriously enough to invest the time and resources at the board level
Cyber Crisis Simulation Exercises: The focus of this option is to provide directors with some level of experiential learning and applied understanding of the fundamentals during a material cyber incident or data breach. It’s one thing to know what questions to ask that will exercise proactive oversight. It’s quite another to work through and actual data breach simulation. What should the board’s role be during such events? How can the board help? What not to do? And much more landmines to avoid. Navigating these questions are all important and practical skills that board members can learn through simulation exercises.
Simulation exercises can also be used in non-crisis situations for example in understanding the implications of new regulations like the new SEC cyber rules or rapid product launches. These power sessions as we like to call them can condense a lot of learning into a few hours but it requires that directors have some cyber fundamentals to get the most out of them. Without the fundamentals, they may prove less effective than expected.
Custom Learning Clinics: These are customized learning sessions that combine both fundamentals and experiential/simulation exercises. You get the best of both worlds and more. These are designed intentionally for the organization and concentrates on specific challenges that its facing or is about to face. It provides an opportunity for directors to engage proactively with each other and management in a dynamic interactive way. It allows directors to apply the fundamentals and reinforces key learnings. Often times it also produces actual governance practices and principles, policies, actions that the organization can put to use during and after the clinic. Due to the custom nature of this option, its typically more expensive and generally offered only by board advisory firms.
Board Mentorship Programs: This is an extended or expanded option that seeks to sustain new expertise and skills developed and provide continuous improvement for board directors. Generally speaking, the mentorship program should be designed internally and perhaps with support from an external consultant as needed. That is, the actual mentors will be other board members with more cyber expertise to help newer directors get up to speed. It has the added advantage of strengthening peer relationships as well as offering guidance beyond cyber related topics if the mentors have broader governance experience overall.
Recommendation: A blend of all three for large public boards
On-Demand Expertise: This is another dimension to board expertise and is often overlooked by boards. The primary idea of on-demand cyber board expertise is to provide the board of directors with access to relevant cyber expertise to address specific cyber governance and oversight challenges. In other words, the board can “phone a friend”. One of the benefits of this strategy is that the board gets actionable strategies from an external source with an external perspective; one that’s also independent of management’s views (or at least should be, if the board’s source of expertise is different from that of management)
This approach is not without its drawbacks. Given the sometimes, unpredictable nature of some of the board cyber challenges (e.g. data breach), it’s often difficult to plan for on-demand expertise. And there may be long lead times for the ideal on-demand expertise required for a specific board challenge. However, the board should maintain a very strategic and proactive position on cyber governance that should ensure readiness for these predictable surprises before they occur. The time to prepare for the storm is before the storm and not during the storm.
Sources of On-Demand Expertise
· Large global consulting firms (e.g. McKinsey, PwC, KPMG, BCG, Deloitte, EY, etc.)
· Cyber security services companies (e.g. Mandiant – Google company, Kroll, SecureWorks, etc.)
· Independent cyber consultants, ideally with board governance experience
· Law firms that specialize in cyber risks (e.g. Cooley, Baker McKenzie, ZwillGen, etc.)
· Insurance companies ( Zurich, AXA XL, etc.)
· PR firms that have a cyber or crisis management practice (e.g. Edelman, etc.)
This list covers a wide variety of cyber governance needs and directors should be careful to have a clear understanding of what’s needed and which type of firm can best get the job done.
4. Cyber Impact Analysis
Cyber Impact Analysis: Request an impact analysis of material cyber incidents from management.
Cyber Impact Analysis: Board members should request a cyber impact analysis from management. Such an impact analysis outlines the most significant business impacts that could result from a cyber attack. The focus is to connect all the dots that ultimately or potentially affect the organization and its stakeholders. These may include customers, partners, employees, etc. It’s important to note that several boards request/conduct an independent cyber risk assessment and while that’s incredibly helpful, it’s note the same thing as a cyber impact analysis. Unlike a risk assessment that concentrates on the cyber risks, likelihood of occurrence and potential impacts, a cyber impact analysis focuses on the strategic analysis of business impacts tied to digital and cyber assets as well as the second and third order consequences of the attacks and vulnerabilities. The primary focus is the impact and consequences and it assumes weakness will be exploited but then asks “then what” and “then what”
And this gives directors a fundamental understanding of economic impact of a potential cyber attack beyond the general understanding available in the public domain or in news reports. But more importantly, it helps the board get a specific handle on how cyber affects stakeholders across other dimensions also including legal, compliance, brand reputation and business operations. The analysis is not the typical management update to the board that provides metrics of a CISOs cyber program such as phishing, vulnerability patching program or DLP events and/or privacy and security incidents. No, this effort is a broader strategic initiative that elevates the board room discussion to important strategic elements for the board. A sample impact analysis for MGM would look something like this.
We’ve provided this example to give directors a sense of what they should expect from management in response to their ask of a cyber impact analysis. Although, the specifics will be different for every organization, this example can help serve as a baseline of sorts.
Management should be deeply involved and not just outsourced to consultants, even if consultants are engaged to help.
In summary, heightened oversight means it’s not what you look at but what you see. These strategies will help you see and not just look or observe. You may have heard the common NACD saying “Noses in, fingers out”. Well, your hands may be out but your eyes, mind and heart should be in along with your nose.
In summary here are the principles and practices that increase the odds in your favor if you desire to have effective cyber board briefings.
Summarize the required practices and actions.
This is what makes great briefings, great!
In summary here are the principles and practices that increase the odds in your favor if you desire to have effective cyber board briefings.
Summarize the required practices and actions.
This is what makes great briefings, great!