Effective Cyber Risk Oversight:
Fundamental Actions For Boards
The CEO role is changing and arguably continues to evolve as new digital technology innovations lead to changing customer and stakeholder behaviors. The CEO’s digital vision says a lot about the direction of the organization.
"It's Not What You Look At That Matters, It's What You See.” ~ Henry David Thoreau.
The failure of Enron’s board of directors to provide effective financial oversight was one of the cases that motivated the need for increased board oversight of organizations. Now board directors don’t just “look” at an organization’s financial statements but they try to “see” what’s really going on behind the numbers. They try to interpret and perceive what the financials are really saying and they take their oversight responsibility more seriously than in the past. In a way, the Enron case expresses the spirit of the quote above, it’s really not what we look at (observe) that matters but what we see (interpret and perceive) that counts.
The Enron financial scandal and present-day cyber risks have at least one thing in common, increased pressure from regulators and other stakeholders for effective board oversight of organizations. In the case of cyber risks, the oversight need is focused on cyber oversight as opposed to financial oversight in the Enron case. The failure of organizations to detect and respond effectively to cyber risks and their associated impacts has motivated, and continues to motivate the need for increased board oversight of cyber risks. There’s significant pressure from regulators (SEC, State Govt, Agencies, etc) calling for more board oversight of cyber risks. But before boards can exercise effective oversight, they must understand the real problem and not just symptoms of the problem that show up as business impacts (e.g. Change Healthcare $872M according to Q1 earnings report and MGM data breach $100M in business disruptions according to a 60-minute report)
The problem posed by cyber risks is very complex and it’s a moving target of sorts, there’s no easy button and there’s no two-day Amazon prime delivery option that will deliver impenetrable cyber security for all cyber risks. And you can’t just throw more money at the problem either (UHG spends $300M on cyber security), because there are other dimensions to the adaptive challenge including time, technology innovations, people, culture and leadership. One other dimension to this growing problem that’s worth mentioning is the possibility, indeed high probability, of proxy firms using poor oversight of cyber risks to initiate a proxy fight with the board and management of public firms. Both ISS and Glass Lewis have both included cyber elements to their guidelines. So the real problem is that organizations have a limited and incomplete view of the problem that doesn’t fully recognize all the dimensions of the problem. They fail to recognize that cyber is really an adaptive leadership challenge that can’t be solved along a single dimension and treat it as a technical problem (one that has an easy button) that can. They treat the moving target as a stationary object.
So, what to do? How can boards provide oversight for such an adaptive challenge as cyber. There is no one solution that fits all companies and/or situations. Having said that, there are three practical strategic steps that boards can take if they choose to exercise effective cyber oversight. They are:
Define and Diagnose cyber oversight needs and commitment. Optimal Cyber Oversight: Establish alignment on the level of optimal cyber oversight. Define Oversight Context
Assess effectiveness of current cyber oversight and governance. Cyber Governance Assessment: Assess the board’s cyber oversight practices, structure, expertise and guiding principles/policies.
Determine and Develop Board Cyber Competency: Develop the board’s strategic approach to gaining and maintaining access to cyber expertise.
Cyber Impact Analysis: Request an impact analysis of material cyber incidents from management.
1. Define & Diagnose Cyber Oversight Needs
Why is a definition of cyber oversight needs required? Sometimes, board directors may not have a clear and common/shared understanding of what they really need in terms of effective oversight. Other times, boards make assumptions about what they need that turn out to be flawed in some respect. For instance, board directors may make the assumption that they need to add a new director with cyber expertise given the steady string of cyber attacks. Everyone agrees to onboard a director with cyber expertise. This is great!
There’s only one problem, the board rarely, if ever, includes cyber-related topics on their board meeting agendas. Or they may allocate 15-20 minutes of a board meeting to cyber once a year. It sounds simple but we’ve seen this time and again. This is similar to getting an expert personal fitness trainer without making the time to meet with him/her. If you don’t make the time, you can’t possibly get the benefit. And it’s not just time, there are other dimensions to the oversight needs that can get overlooked without taking a step back to clearly define the cyber oversight needs of the board.
Yes, it’s true that board directors want and should want to ask the right questions of management and evaluate their responses. That’s a good thing. And for those that have an urgent need to understand what questions to ask and what a good response looks like, we offer an example in our question guide shown here. However, to sustain effective board cyber oversight, it’s important to get the fundamentals right. Defining the cyber oversight needs is one of those fundamentals that you don’t have the time not to get right.
A definition of cyber oversight needs helps boards identify a complete set of needs that when addressed, work together to improve or enhance their cyber oversight effectiveness. More importantly, it facilitates board alignment on the following principal dimensions of cyber oversight needs:
Commitment - Are directors aligned on the right amount and level of cyber oversight?
Time - how much time, both board time and committee time, are needed?
Expertise/Competency - what does ongoing development of cyber competency look like for the board?
Practices and principles - what cyber governance practices should be adopted?
Determining the right amount and level of cyber oversight is a vital and foundational dimension to all of the other needs, because it facilitates board alignment on the commitment required. It informs how much time, expertise and the practices needed to be effective. If directors are not aligned on any of these, then there’s a high probability that cyber oversight will be ineffective.
The above can be viewed as core ingredients for effective cyber oversight but how much of each (in what quantities). Ingredients for the effective oversight recipe.
But how does a board actually determine the right amount and level of cyber oversight?
Some oversight practices and their effectiveness score/measure included in the document. Examples of what effective and ineffective cyber oversight looks like are provided in this document
There are at least two approaches to this problem. The first is a shorter-term focus on providing some level of oversight in the absence of any oversight. If this is wehre you are, then the guideline document may be of value to you. It provides key questions to ask of management and potential responses. It also offers a high level view of what basic and advanced oversight looks like as compared to poor oversight. This guide may help you get started on your cyber oversight journey. Cyber Oversight Essentials
1. Define & Diagnose Cyber Oversight Needs
Why is a definition of cyber oversight needs required? Sometimes, board directors may not have a clear and common/shared understanding of what they really need in terms of effective oversight. Other times, boards make assumptions about what they need that turn out to be flawed in some respect. For instance, board directors may make the assumption that they need to add a new director with cyber expertise given the steady string of cyber attacks. Everyone agrees to onboard a director with cyber expertise. This is great!
There’s only one problem, the board rarely, if ever, includes cyber-related topics on their board meeting agendas. Or they may allocate 15-20 minutes of a board meeting to cyber once a year. It sounds simple but we’ve seen this time and again. This is similar to getting an expert personal fitness trainer without making the time to meet with him/her. If you don’t make the time, you can’t possibly get the benefit. And it’s not just time, there are other dimensions to the oversight needs that can get overlooked without taking a step back to clearly define the cyber oversight needs of the board.
Yes, it’s true that board directors want and should want to ask the right questions of management and evaluate the responses. That’s a good thing. And for those that have an urgent need to understand what questions to ask and what a good response looks like, we offer an example in our question guide shown here. However, to sustain effective board cyber oversight, it’s important to get the fundamentals right. Defining the cyber oversight needs is one of those fundamentals that you don’t have the time not to get right.
A definition of cyber oversight needs helps boards identify a complete set of needs that when addressed, work together to improve or enhance their cyber oversight effectiveness. More importantly, it facilitates board alignment on the following principal dimensions of cyber oversight needs:
Commitment - Are directors aligned on the right amount and level of cyber oversight?
Time - how much time, both board time and committee time, are needed?
Expertise/Competency - what does ongoing development of cyber competency look like for the board?
Practices and principles - what cyber governance practices should be adopted?
Determining the right amount and level of cyber oversight is a vital and foundational dimension to all of the other needs, because it facilitates board alignment on the commitment required. It informs how much time, expertise and the practices needed to be effective. If directors are not aligned on any of these, then there’s a high probability that cyber oversight will be ineffective.
The above can be viewed as core ingredients for effective cyber oversight but how much of each (in what quantities). Ingredients for the effective oversight recipe.
But how does a board actually determine the right amount and level of cyber oversight?
Determine The Right Amount/Level of Cyber Oversight
The principal strategic step for determining the right amount/level of cyber oversight is to evaluate the organizational/business factors that influence the degree of cyber oversight. These factors include:
Organizational growth strategy and strategic plan
Dependence on digital and information technology and its role in the strategic direction of the organization
Criticality of the organization and/or business function. For example, is the organization’s operations considered critical infrastructure such as power utility, financial services, etc?
Quantity of business partnerships and collaborations - Value chain and supply chain partnerships
Long and short term organizational priorities
Risk profile of both existing and new revenue-creation products, services and opportunities
Regulatory compliance requirements
Industry and sector and markets (global, etc)
Size of organization and business impact of cyber intrusions
Factors That Influence the amount/level of cyber oversight needed. I need to get and stay healthy, diet, exercise, personal trainer but how much of each and in what proportion..
I need a car/vehicle but how much “car/vehicle” do I actually need to be effective? Do I need an SUV, truck, telsa, or what?
Next Session:
Write up on the five influencing factors
Industry Regulation & Compliance: greatly influences the amount of board cyber oversight required by organizations. The risk of non-compliance with cyber-related industry regulatory standards can result in significant consequences including actions from regulators (e.g. legal penalties, settlement fines, etc.) The Equifax Inc. settlement of $575M-$700M to the FTC and CFPB is a good practical example. An additional consequence was the CEO’s resignation. The potential for such consequences requires board oversight and effective cyber oversight by the board can help minimize or avoid such consequences. This is why regulatory compliance is such an important factor that influences oversight needs in the boardroom and the higher the complexity and number of the regulatory requirements, the greater the oversight needs. Conversely, organizations with lower regulatory requirements or whose operations are not subject to cyber-related regulation may have minimal oversight needs
SEC Cyber Rule
Technology Dependence, Role & Adoption: There was one American Cleaners store that I frequently took my dry-clean only clothes to. This was before the covid pandemic and for years I always had to pay with cash. John, the owner didn’t accept credit cards, had no computers and the only information technology he had was an old school telephone. I asked why and he said, “well, I don’t want to pay the merchant fees but more importantly, I don’t have to worry about computer hacking”
I believe John’s (American Cleaners) broader point about hacking is that the greater the dependence on technology, the higher the cyber risk. And the higher the cyber risk, the better cyber security and oversight is needed. This seems deceptively obvious but it is not. Most organizations and their leaders do not scale their cyber security capabilities in alignment/accordance with their digital technology dependence. For instance, If 90% of your customer orders come from the internet, then your cyber security should be better than average. But most leaders don’t come to this realization until after a significant cyber incident. Former board chair of Maersk, Jim Hagemann Snabe, was one of those leaders. As he shares about Maersk’s $250M-$300M cyber attack during this World Economic Forum session (min 6:37), more than 90% of all Maersk’s orders come through the internet but their cyber security was average at the time of the attack. One of his conclusions was that the incident was a wake-up call to be better than average, to be the best they can be.
The role and adoption of technology in the future is only going to increase as new innovations such as Generative AI continue to evolve. Additionally, more and more third-party providers, suppliers and vendors as well as their own reliance on digital technology will increase the complexity in determining the level of technology dependence for businesses. Either way, most organizations’ dependence on technology will continue to increase and will influence the amount of effective cyber oversight needed by the board.
Scope & Criticality of Impact: When considering scope and criticality of impact in the context of cyber oversight needed, it is helpful to evaluate the cascading effect and criticality of impact of a material cyber attack. The cascading effect is a particularly important factor because it provides a more holistic/strategic view that encompasses second-order effects of a cyber incident . The Change Healthcare is a good example of this cascading ripple effect because the impact of the data breach was at least two levels deep. First, insurance companies and payers couldn’t process patient claims for Doctors’ services rendered. Second, Doctor’s offices couldn’t get paid for several weeks which put a significant financial/payroll burden on Doctors’ offices. Additionally, patients couldn’t get their prescriptions filled as a result of the incident. It affected the healthcare supply chain and not just Change Healthcare.
Unlike a typical data breach that affects just the company and direct individual customers, some cyber incidents affect customers of customers of customers. Often these are companies that offer digital/technology products and services but not necessarily as in the case of Colonial pipeline.
Critical Infrastructure points
The important point here is that boards should factor criticality of impact to their assessment of the amount of oversight needed. This is another one of those concentration risks that is difficult to determine until an incident occurs but board directors can request a business impact analysis that accounts for the cascading effects from management to help understand the ongoing oversight needs.
Senators urge FTC and SEC to hold board accountable
https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/
Board reference
Strategic Direction: The organization’s strategic direction is a factor that helps anticipate future cyber oversight needs that are likely to emerge. Boards can be more proactive rather than reactive, when they include the strategic direction of the organization in the cyber oversight needs evaluation. This proactive anticipation allows boards to skate to where the puck is going to be in the words of Wayne Gretski and allows the board to get ahead and stay ahead of oversight needs and governance practices.
Consider, for example, an organization with a long-term strategy that’s driven by a high volume of M&A activity as well as external collaborations and partnerships. What effect does this strategy have or should have on the cyber oversight needs? All things being equal, a different level of cyber oversight will be required when compared to strategy that doesn’t call for heavy M&A. This may include different board committee structures, expertise and governance practices to support the long-term strategy.
Without this consideration, boards concentrate on reacting to cyber oversight and governance gaps that could have been anticipated. They may fail the organization by not preparing it for the required rapid recovery and resilience
It may be a surprise to some that Change Healthcare was an acquisition made by UnitedHealth group in 2022. In 2024 Senate letter directed at CEO and the board occurs. A proactive approach would feel confident in expressing their robust oversight practices to show that they did all that could have been done to address the cyber risk.
As expected, a mis-match of oversight levels and organizational strategy will cause additional challenges. Similar to other oversight areas, cyber oversight (when little is required) becomes an unnecessary burden on management, when it’s too much and too little of it (when more is required) may result in preventable intrusions, poor incident response, compliance violations and legal penalties. Adopting the Goldilocks principle is the best approach here, as you want the level of cyber oversight to be just right
Recall the Change Healthcare attack, well
the board can skate to where the puck is going to be w
Strategic direction example for instance
How much cyber oversight is actually needed and to what end or strategic direction? In some cases, the organization’s strategic direction calls primarily for satisfying US regulatory compliance requirements. But in other cases, the strategic direction may call for an international acquisitions-growth strategy with heavy reliance on digital and technology solutions.
These two cases require two different levels of cyber oversight. In the first case, oversight in service of US regulatory compliance may be the optimal level but in the second case, more oversight may be required; a deeper optimal level that prioritizes commitment and that goes beyond compliance may be best.
As expected, a mis-match of oversight levels and organizational strategy will cause additional challenges. Similar to other oversight areas, cyber oversight (when little is required) becomes an unnecessary burden on management, when it’s too much and too little of it (when more is required) may result in preventable intrusions, poor incident response, compliance violations and legal penalties. Adopting the Goldilocks principle is the best approach here, as you want the level of cyber oversight to be just right. To help address this challenge of determining the right level of cyber oversight, we’ve included important considerations that will inform your board cyber oversight strategy and governance function:
In summary, the new business environment that calls for an increased cyber oversight by directors isn’t likely to go away. Therefore boards must maintain a long-term view of exercising effective cyber oversight in service of all stakeholders of their organizations.
Effective oversight begins by proactively and correctly defining the cyber challenge and oversight needs (both type and amount/level). It’s about ensuring you have the right ingredients as well as the right quantities to create the recipe for effective oversight which in turn will produce effective cyber resilience and all the associated benefits
Cyber oversight is just about looking at cyber risks as problem for the CIO/CISO to navigate but it’s also about truly seeing all the other dimensions the challenge from a CEO and board level. As we stated at the beginning, it’s not what you look at but what you see and we sincerely hope that these strategies will help you see and not just look or observe.
It requires a heart-level commitment as boards as boards keep their noses in and fingers out