Effective Cyber Risk Oversight:
Fundamental Actions For Boards
There’s increasing pressure on boards for more cyber risk oversight. Taking action on these fundamentals will help build a solid foundation for sustained and effective cyber risk oversight
"It's Not What You Look At That Matters, It's What You See.” ~ Henry David Thoreau.
The failure of Enron’s board of directors to provide effective financial oversight was one of the cases that motivated the need for increased board oversight of organizations.
Now board directors don’t just “look” at an organization’s financial statements but they try to “see” what’s really going on behind the numbers. They try to interpret and perceive what the financials are really saying and they take their oversight responsibility more seriously than in the past.
In a way, the Enron case expresses the spirit of the quote above, it’s really not what we look at (observe) that matters but what we see (interpret and perceive) that counts.
The Enron financial scandal and present-day cyber risks have at least one thing in common; increased board oversight pressure from regulators and other stakeholders (Sarbanes Oxley, SEC Cyber Rules, etc.)
In the case of cyber risks, the oversight need is focused on cyber oversight as opposed to financial oversight in the Enron case. The failure of organizations to detect and respond effectively to cyber risks and their associated impacts has motivated, and continues to motivate the need for increased board oversight of cyber risks.
There’s significant pressure from regulators (SEC, State Government, etc.) calling for more board oversight of cyber risks. But before board directors can exercise any measure of oversight, they must know the right questions to ask and how to evaluate the answers to those questions, at a minimum. And then, they must actually ask the questions and evaluate the answers.
Side Bar
One of the crucially important cyber oversight questions to ask is related to the strategic business impact of cyber risks on the organization. To learn more about how to distinguish a high quality from a low quality response, we encourage you to download this guide.
But effective oversight goes beyond just asking the right questions. It requires that directors have a clear understanding of the real problem and not just symptoms of the problem that show up as business impacts. Some examples of companies that have experienced these business impacts include Change Healthcare $872M according to Q1 earnings report and MGM data breach $100M in business disruptions according to a CBS 60-minute report)
The problem posed by cyber risks is very complex and it’s a moving target of sorts, there’s no easy button and there’s no two-day Amazon prime delivery option that will deliver impenetrable cyber security for all cyber risks.
And you can’t just throw more money at the problem either; United Health Group (UHG, the parent company of Change Healthcare) spends $300M on cyber security, because there are other dimensions to the problem including time, technology innovations, people, culture, leadership and governance. The governance dimension is especially relevant to board directors and proxy advisory firms. Indeed, at least one proxy advisory firms has included cyber risk oversight as a component of their policy guidelines.
Glass Lewis, the second largest proxy advisory firm in the US, has included cyber risk oversight in its 2024 US Benchmark policy guideline. A key phrase from their guideline’s document that’s worthy of attention is “..we may recommend against appropriate directors should we find the board’s oversight, response or disclosure concerning cybersecurity-related issues to be insufficient, or are not provided to shareholders.”
The Cyber Infrastructure and Security Agency (CISA) director Jen Easterly also recognizes the governance dimension of the cyber problem as evidenced by her comments in her opening statement post “ These steps, however, are only achievable if CEOs, Boards, and every single business leader of a critical infrastructure organization treats cyber risks as core business risks and recognize that managing them is a matter of both good governance and fundamental national security”
What’s our point? The governance dimension of the problem is crucial and effective oversight is the key. Effective oversight begins with a new and refined appreciation of the problem as an adaptive challenge and not just a technical problem. Cyber is really an adaptive leadership challenge that can’t be solved along a single dimension and can’t be treated it as a technical problem (one that has an easy button). It’s a moving target not a stationary object that requires directors to get the fundamentals right.
So, what to do? How can boards provide oversight for such an adaptive challenge as cyber. There is no one solution that fits all companies and/or situations. Having said that, there are three practical strategic steps that boards can take if they choose to exercise effective cyber oversight. They are:
Define and Diagnose cyber oversight needs and commitment. Optimal Cyber Oversight: Establish alignment on the level of optimal cyber oversight. Define Oversight Context
Assess effectiveness of current cyber oversight and governance. Cyber Governance Assessment: Assess the board’s cyber oversight practices, structure, expertise and guiding principles/policies.
Determine and Develop Board Cyber Competency: Develop the board’s strategic approach to gaining and maintaining access to cyber expertise.
1. Define & Diagnose Cyber Oversight Needs
Why is a definition of cyber oversight needs required? Sometimes, board directors may not have a clear and common/shared understanding of what they really need in terms of effective oversight. Other times, boards make assumptions about what they need that turn out to be flawed in some respect. For instance, board directors may make the assumption that they need to add a new director with cyber expertise given the steady string of cyber attacks. Everyone agrees to onboard a director with cyber expertise. This is great!
There’s only one problem, the board rarely, if ever, includes cyber-related topics on their board meeting agendas. Or they may allocate 15-20 minutes of a board meeting to cyber once a year. It sounds simple but we’ve seen this time and again. This is similar to getting an expert personal fitness trainer without making the time to meet with him/her. If you don’t make the time, you can’t possibly get the benefit. And it’s not just time, there are other dimensions to the oversight needs that can get overlooked without taking a step back to clearly define the cyber oversight needs of the board.
In an accelerating digital economy, there’s an urgent need for directors to ask the right cyber oversight questions and adequately evaluate the responses they get. It can be tempting, very tempting to jump right in and start asking the right questions and forget to take a step back to also address the fundamentals. However, to sustain effective board cyber oversight, it’s important to get the fundamentals right. Defining the cyber oversight needs is one of those fundamentals that you don’t have the time not to get right.
A definition of cyber oversight needs helps boards identify a complete set of needs that when addressed, work together to improve or enhance their cyber oversight effectiveness. More importantly, it facilitates board alignment on the following principal dimensions of cyber oversight needs:
Commitment - Are directors aligned on the right amount and level of cyber oversight?
Time - how much time, both board time and committee time, are needed?
Expertise/Competency - what does ongoing development of cyber competency look like for the board?
Practices and principles - what cyber governance practices should be adopted?
Determining the right amount and level of cyber oversight is a vital and foundational dimension to all of the other needs, because it facilitates board alignment on the commitment required. It informs how much time, expertise and the practices needed to be effective. If directors are not aligned on any of these, then there’s a high probability that cyber oversight will be ineffective.
The above can be viewed as core ingredients for effective cyber oversight but how much of each (in what quantities). Ingredients for the effective oversight recipe.
But how does a board actually determine the right amount and level of cyber oversight?
Determine The Right Amount/Level of Cyber Oversight
The principal strategic step for determining the right amount/level of cyber oversight is to evaluate the organizational/business factors that influence the degree of cyber oversight. These factors include:
Regulatory compliance requirements
Degree of technology dependence
Scope of impact
Strategic direction
Regulatory Compliance Requirements: greatly influences the amount of board cyber oversight required by organizations. The risk of non-compliance with cyber-related industry regulatory standards can result in significant consequences including actions from regulators (e.g. legal penalties, settlement fines, etc.) The Equifax Inc. settlement of $575M-$700M to the FTC and CFPB is a good practical example. An additional consequence was the CEO’s resignation. The potential for such consequences requires board oversight and effective cyber oversight by the board can help minimize or avoid such consequences. This is why regulatory compliance is such an important factor that influences oversight needs in the boardroom and the higher the complexity and number of the regulatory requirements, the greater the oversight needs. Conversely, organizations with lower regulatory requirements or whose operations are not subject to cyber-related regulation may have minimal oversight needs
Degree Of Technology Dependence: There was one American Cleaners store that I frequently took my dry-clean only clothes to. This was before the covid pandemic and for years I always had to pay with cash. John, the owner didn’t accept credit cards, had no computers and the only information technology he had was an old school telephone. I asked why and he said, “well, I don’t want to pay the merchant fees but more importantly, I don’t have to worry about computer hacking”
I believe John’s (American Cleaners) broader point about hacking is that the greater the dependence on technology, the higher the cyber risk. And the higher the cyber risk, the better cyber security and oversight is needed. This seems deceptively obvious but it is not. Most organizations and their leaders do not scale their cyber security capabilities in alignment/accordance with their digital technology dependence. For instance, If 90% of your customer orders come from the internet, then your cyber security should be better than average. But most leaders don’t come to this realization until after a significant cyber incident. Former board chair of Maersk, Jim Hagemann Snabe, was one of those leaders. As he shares about Maersk’s $250M-$300M cyber attack during this World Economic Forum session (min 6:37), more than 90% of all Maersk’s orders come through the internet but their cyber security was average at the time of the attack. One of his conclusions was that the incident was a wake-up call to be better than average, to be the best they can be.
The role and adoption of technology in the future is only going to increase as new innovations such as Generative AI continue to evolve. Additionally, more and more third-party providers, suppliers and vendors as well as their own reliance on digital technology will increase the complexity in determining the level of technology dependence for businesses. Either way, most organizations’ dependence on technology will continue to increase and will influence the amount of effective cyber oversight needed by the board. Most boards should therefore prioritize cyber oversight elements accordingly.
Cyber Oversight Elements - The Vital Few
Prioritizing a few oversight elements is the key to optimizing effective cyber risk oversight. These priority elements, the vital few, deliver significant leverage for the action of board directors. The first of these, is incident preparedness and should be priority #1. For the rest of the top 6 vital few, download the guide
Scope Of Impact: When considering scope and criticality of impact in the context of cyber oversight needed, it is helpful to evaluate the cascading effects and criticality of impact of a material cyber attack. The cascading effect is a particularly important factor because it provides a more holistic/strategic view that encompasses second-order effects of a cyber incident . The Change Healthcare is a good example of this cascading ripple effect because the impact of the data breach was at least two levels deep. First, insurance companies and payers couldn’t process patient claims for Doctors’ services rendered. Second, Doctor’s offices couldn’t get paid for several weeks which put a significant financial/payroll burden on Doctors’ offices. Additionally, patients couldn’t get their prescriptions filled as a result of the incident. It affected the healthcare supply chain and not just Change Healthcare.
Unlike a typical data breach that affects just the company and direct individual customers, some cyber incidents affect customers of customers of customers, creating a massive domino effect. Often these cyber incidents and their resulting impacts are contained in the digital space but some times they extend to the physical space as with several critical infrastructure organizations. Additionally, identifying concentration risks will help determine the magnitude and scope of impact of cyber incidents. Two questions to ask and consider when evaluating cascading effects and concentration risks
Does your organization pose a concentration risk to your customers/clients along your value chain?
Does your organization have any concentration risks within, where there’s an over-reliance on one or two suppliers, partners or vendors?
The important point here is that boards should factor the scope of impact to their assessment of the amount of oversight needed. This is another one of those elements that is difficult to determine until an incident occurs but board directors can request a business impact analysis that accounts for the cascading effects from management to help understand the ongoing oversight needs.
Strategic Direction: The organization’s strategic direction is a factor that helps anticipate future cyber oversight needs that are likely to emerge. Boards can be more proactive rather than reactive, when they include the strategic direction of the organization in the cyber oversight needs evaluation. This proactive anticipation allows boards to skate to where the puck is going to be in the words of Wayne Gretski and allows the board to get ahead and stay ahead of oversight needs and governance practices.
Consider, for example, an organization with a long-term strategy that’s driven by a high volume of M&A activity as well as external collaborations and partnerships. What effect does this strategy have or should have on the cyber oversight needs? All things being equal, a different level of cyber oversight will be required when compared to strategy that doesn’t call for heavy M&A. This may include different board committee structures, expertise and governance practices to support the long-term strategy.
Without this consideration, boards concentrate on reacting to cyber oversight and governance gaps that could have been anticipated. They may fail the organization by not preparing it for the required rapid recovery and resilience
It may be a surprise to some that Change Healthcare was an acquisition made by UnitedHealth group in 2022. In 2024 Senate letter directed at CEO and the board occurs. A proactive approach would feel confident in expressing their robust oversight practices to show that they did all that could have been done to address the cyber risk.
As expected, a mis-match of oversight levels and organizational strategy will cause additional challenges. Similar to other oversight areas, cyber oversight (when little is required) becomes an unnecessary burden on management, when it’s too much and too little of it (when more is required) may result in preventable intrusions, poor incident response, compliance violations and legal penalties. Adopting the Goldilocks principle is the best approach here, as you want the level of cyber oversight to be just right
In summary, the new business environment that calls for an increased cyber oversight by directors isn’t likely to go away. Therefore boards must maintain a long-term view of exercising effective cyber oversight in service of all stakeholders of their organizations.
Effective oversight begins by proactively and correctly defining the cyber challenge and oversight needs (both type and degree of oversight). It’s about ensuring you have the right ingredients as well as the right quantities to create the recipe for effective oversight which in turn will produce effective cyber resilience and all the associated benefits
Cyber oversight is just about looking at cyber risks as problem for the CIO/CISO to navigate but it’s also about truly seeing all the other dimensions the challenge from a CEO and board level. As we stated at the beginning, it’s not what you look at but what you see and we sincerely hope that these fundamental actions will help you see for effective oversight and not just look or observe.