Today’s boards need cyber expertise more than ever

In considering the makeup of their board, many public companies have not added cybersecurity expertise to their list of priorities. Directors can assess many other forms of risk with or without specific expertise, the thinking goes, and boards can rely on management teams to effectively address it.

The problem with this thinking is that cyber risk is fundamentally not like every other risk. It is man-made; intentionally perpetrated using incredibly sophisticated tradecraft; ubiquitous; and often successful. That is far different from the nature of, say, weather hazards like hurricanes. The capricious and limited probability of hurricane damage to a company facility or supply chain is such that no one would reasonably expect board members to be meteorologists. But the near certainty that every company is being intentionally attacked all the time by smart, capable, and patient adversaries, not to mention AI bots, does suggest the prudence of having some level of cyber knowledge on a board.

What’s more, because most companies’ assets are digital, experiencing a major cyber event that wipes out “crown jewel” assets would call into question whether the board failed in its fundamental role to protect company value and reputation. Few other risks, if any, have the potential for that level of existential damage.

Other reasons to add cybersecurity expertise to every organization’s board include:

Investor expectations: The SEC recently released its final cybersecurity rule for risk management, strategy, governance, and incident disclosure. While the Commission ultimately did not include a requirement that public companies disclose the scope and source of cybersecurity expertise of their board members, the rules that were included still make a strong case for cultivating/securing this expertise. Section 106(b) describes the need for disclosure of information that could be material to investment decisions of investors, including the company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats”; Section 106(c) requires disclosure of how the board oversees cybersecurity risk. There will, therefore, still be the expectation by investors that the board competently evaluates cyber risk and exercises a fiduciary duty of care commensurate with the nature of this risk, as they would any other risk. But how do they meet this expectation without the requisite cyber competence?

Legal risk: It is important to note that the SEC’s ruling does not diminish the legal risks of cybersecurity incidents. CISOs (chief information security officers) may still face criminal exposure after a devastating breach, and private litigation risk could worsen from individual and class-action lawsuits because plaintiffs could claim that the board’s duty of care was breached – by definition – in not having cyber knowledge sufficient to execute its duty of care for this unique risk. A board with cyber skills would help provide critical, competent support against these claims.

Independent expertise: Securing a board member with cyber expertise provides non-cyber-conversant board members with a “go-to” cyber colleague. Best practice in board independence suggests that it’s a bad idea to rely solely on management’s quarterly or annual reporting, or on the advice of the cyber consultant or contractor that the CISO already engages; the board needs its own independent advisor.

Governance: The “G” in ESG is for good governance, which is exemplified by risk-commensurate decision-making, a core tenet of sound risk management. Given the unique pervasiveness and potentially devasting impact of cyber risk, having cybersecurity expertise on the board is critical to good governance and enterprise risk management. Those are important investment factors for rating agencies, investors, investment advisors, and broker/dealers.

Overall, maintaining cybersecurity expertise is an exercise in good liability management. No public company would fail to have someone with financial expertise overseeing the committee that is responsible for the company’s financial reporting. Cybersecurity should be the same.