08/04/2023

Today’s boards need cyber expertise more than ever

    Image illustrating cybersecurity SEC rules

    In considering the makeup of their board, many public companies have not added cybersecurity expertise to their list of priorities. Directors can assess many other forms of risk with or without specific expertise, the thinking goes, and boards can rely on management teams to effectively address it.

    The problem with this thinking is that cyber risk is fundamentally not like every other risk. It is man-made; intentionally perpetrated using incredibly sophisticated tradecraft; ubiquitous; and often successful. That is far different from the nature of, say, weather hazards like hurricanes. The capricious and limited probability of hurricane damage to a company facility or supply chain is such that no one would reasonably expect board members to be meteorologists. But the near certainty that every company is being intentionally attacked all the time by smart, capable, and patient adversaries, not to mention AI bots, does suggest the prudence of having some level of cyber knowledge on a board.

    What’s more, because most companies’ assets are digital, experiencing a major cyber event that wipes out “crown jewel” assets would call into question whether the board failed in its fundamental role to protect company value and reputation. Few other risks, if any, have the potential for that level of existential damage.

    Other reasons to add cybersecurity expertise to every organization’s board include:

    Investor expectations: The SEC recently released its final cybersecurity rule for risk management, strategy, governance, and incident disclosure. While the Commission ultimately did not include a requirement that public companies disclose the scope and source of cybersecurity expertise of their board members, the rules that were included still make a strong case for cultivating/securing this expertise. Section 106(b) describes the need for disclosure of information that could be material to investment decisions of investors, including the company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats”; Section 106(c) requires disclosure of how the board oversees cybersecurity risk. There will, therefore, still be the expectation by investors that the board competently evaluates cyber risk and exercises a fiduciary duty of care commensurate with the nature of this risk, as they would any other risk. But how do they meet this expectation without the requisite cyber competence?

    Legal risk: It is important to note that the SEC’s ruling does not diminish the legal risks of cybersecurity incidents. CISOs (chief information security officers) may still face criminal exposure after a devastating breach, and private litigation risk could worsen from individual and class-action lawsuits because plaintiffs could claim that the board’s duty of care was breached – by definition – in not having cyber knowledge sufficient to execute its duty of care for this unique risk. A board with cyber skills would help provide critical, competent support against these claims.

    Independent expertise: Securing a board member with cyber expertise provides non-cyber-conversant board members with a “go-to” cyber colleague. Best practice in board independence suggests that it’s a bad idea to rely solely on management’s quarterly or annual reporting, or on the advice of the cyber consultant or contractor that the CISO already engages; the board needs its own independent advisor.

    Governance: The “G” in ESG is for good governance, which is exemplified by risk-commensurate decision-making, a core tenet of sound risk management. Given the unique pervasiveness and potentially devasting impact of cyber risk, having cybersecurity expertise on the board is critical to good governance and enterprise risk management. Those are important investment factors for rating agencies, investors, investment advisors, and broker/dealers.

    Overall, maintaining cybersecurity expertise is an exercise in good liability management. No public company would fail to have someone with financial expertise overseeing the committee that is responsible for the company’s financial reporting. Cybersecurity should be the same.

    Next steps

    As openings allow, companies that don’t yet have a strong cybersecurity presence on their board should aim to add a member or two who thoroughly understand cyber risk. While senior-level and board-ready cyber experts may be challenging to find, boards can engage search firms that have board recruitment practices to fill that gap. An extraordinary number of qualified experts are surprisingly not being recruited, indicating that the issue is less about “supply” and more about “demand” for these cyber pros.

    In the meantime:

    • Schedule board-appropriate training to begin to slowly improve all members’ cyber awareness and knowledge. Without a strong cyber-capable member, every board member will be held responsible when a breach inevitably occurs, and potentially incur some liability risk.
    • Consider engaging outside consulting firms that are independent from company management to provide this training, so that boards get an independent perspective of cyber risk.
    • Regardless of whether they have a designated cyber member, all boards should review the limits of their directors’ and officers’ insurance policy. Every individual board member – especially independent members – should review the adequacy of their personal liability insurance policy.

    At a time when cybersecurity events are causing investors billions of dollars of losses in enterprise value, the importance of independent, knowledgeable, and skilled cybersecurity governance at the board level cannot be overstated. Thoughtful boards should work as soon as possible to enhance their cyber capacity and knowledge quotient.

    Contact our team for more information or to build your path to a cyber-aware board.

    Contact

    Scott Corzine, Managing Director, Cybersecurity, Technology Risk, and Privacy

    703.744.8541

    Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

    703.847.4418

    Subject matter expertise

    • Bhavesh Vadhani
      Contact Bhavesh Bhavesh+Vadhani bhavesh.vadhani@cohnreznick.com
      Bhavesh Vadhani

      CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

      Go to Bio
    • scott corzine
      Contact Scott Scott+Corzine scott.corzine@cohnreznick.com
      Scott Corzine

      Managing Director, Cybersecurity, Technology Risk and Privacy

      Go to Bio
      • Close

      Contact

      Let’s start a conversation about your company’s strategic goals and vision for the future.

      Please fill all required fields*

      Please verify your information and check to see if all require fields have been filled in.

      Please select job function
      Please select job level
      Please select country
      Please select state
      Please select industry
      Please select topic

    Cybersecurity & Privacy

    Explore our services
    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.