In considering the makeup of their board, many public companies have not added cybersecurity expertise to their list of priorities. Directors can assess many other forms of risk with or without specific expertise, the thinking goes, and boards can rely on management teams to effectively address it.

The problem with this thinking is that cyber risk is fundamentally not like every other risk. It is man-made; intentionally perpetrated using incredibly sophisticated tradecraft; ubiquitous; and often successful. That is far different from the nature of, say, weather hazards like hurricanes. The capricious and limited probability of hurricane damage to a company facility or supply chain is such that no one would reasonably expect board members to be meteorologists. But the near certainty that every company is being intentionally attacked all the time by smart, capable, and patient adversaries, not to mention AI bots, does suggest the prudence of having some level of cyber knowledge on a board.

What’s more, because most companies’ assets are digital, experiencing a major cyber event that wipes out “crown jewel” assets would call into question whether the board failed in its fundamental role to protect company value and reputation. Few other risks, if any, have the potential for that level of existential damage.

Other reasons to add cybersecurity expertise to every organization’s board include:

Investor expectations: The SEC recently released its final cybersecurity rule for risk management, strategy, governance, and incident disclosure. While the Commission ultimately did not include a requirement that public companies disclose the scope and source of cybersecurity expertise of their board members, the rules that were included still make a strong case for cultivating/securing this expertise. Section 106(b) describes the need for disclosure of information that could be material to investment decisions of investors, including the company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats”; Section 106(c) requires disclosure of how the board oversees cybersecurity risk. There will, therefore, still be the expectation by investors that the board competently evaluates cyber risk and exercises a fiduciary duty of care commensurate with the nature of this risk, as they would any other risk. But how do they meet this expectation without the requisite cyber competence?

Legal risk: It is important to note that the SEC’s ruling does not diminish the legal risks of cybersecurity incidents. CISOs (chief information security officers) may still face criminal exposure after a devastating breach, and private litigation risk could worsen from individual and class-action lawsuits because plaintiffs could claim that the board’s duty of care was breached – by definition – in not having cyber knowledge sufficient to execute its duty of care for this unique risk. A board with cyber skills would help provide critical, competent support against these claims.

Independent expertise: Securing a board member with cyber expertise provides non-cyber-conversant board members with a “go-to” cyber colleague. Best practice in board independence suggests that it’s a bad idea to rely solely on management’s quarterly or annual reporting, or on the advice of the cyber consultant or contractor that the CISO already engages; the board needs its own independent advisor.

Governance: The “G” in ESG is for good governance, which is exemplified by risk-commensurate decision-making, a core tenet of sound risk management. Given the unique pervasiveness and potentially devasting impact of cyber risk, having cybersecurity expertise on the board is critical to good governance and enterprise risk management. Those are important investment factors for rating agencies, investors, investment advisors, and broker/dealers.

Overall, maintaining cybersecurity expertise is an exercise in good liability management. No public company would fail to have someone with financial expertise overseeing the committee that is responsible for the company’s financial reporting. Cybersecurity should be the same.

Next steps

As openings allow, companies that don’t yet have a strong cybersecurity presence on their board should aim to add a member or two who thoroughly understand cyber risk. While senior-level and board-ready cyber experts may be challenging to find, boards can engage search firms that have board recruitment practices to fill that gap. An extraordinary number of qualified experts are surprisingly not being recruited, indicating that the issue is less about “supply” and more about “demand” for these cyber pros.

In the meantime:

• Schedule board-appropriate training to begin to slowly improve all members’ cyber awareness and knowledge. Without a strong cyber-capable member, every board member will be held responsible when a breach inevitably occurs, and potentially incur some liability risk.
• Consider engaging outside consulting firms that are independent from company management to provide this training, so that boards get an independent perspective of cyber risk.
• Regardless of whether they have a designated cyber member, all boards should review the limits of their directors’ and officers’ insurance policy. Every individual board member – especially independent members – should review the adequacy of their personal liability insurance policy.

At a time when cybersecurity events are causing investors billions of dollars of losses in enterprise value, the importance of independent, knowledgeable, and skilled cybersecurity governance at the board level cannot be overstated. Thoughtful boards should work as soon as possible to enhance their cyber capacity and knowledge quotient.

Contact our team for more information or to build your path to a cyber-aware board.

Contact

Scott Corzine, Managing Director, Cybersecurity, Technology Risk, and Privacy

703.744.8541

Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418