Corporate cybercrime concerns and costs are greater than ever. Cyberattackers shut down systems that halt operations as they seek to hold corporations and other organizations hostage, demanding ransomware payments that are oftentimes in the tens of millions of dollars. Global payouts exceeded $400 million in 2020, according to The White House. The Federal Bureau of Investigation’s Internet Crime Complaint Center recently reported that “Business E-mail Compromise (BEC) schemes cost U.S. businesses more than $2 billion last year,” and that cyber incidents reported to the center totaled nearly $7 billion in potential losses in 2021.
The U.S. Cybersecurity & Infrastructure Agency (CISA) earlier this year responded to geopolitical concerns, guiding organizations to take a “shields up” approach to defend against cyberattacks. Make no mistake: This defense is no longer just the responsibility of the information technology department or the chief information security officer. A shields up approach requires enterprise involvement from the top down, and corporate boards play a critical role in setting the tone for enterprises.
Regulators, lawmakers and insurance companies are all focused on how companies defend against and respond to cybersecurity incidents. To that end, the U.S. Securities and Exchange Commission (SEC) proposed rule changes that are expected to take effect in 2023 to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.” In the interim, more can be done now to engage boards in cybersecurity governance.
Board directors and the companies they advise are aware of the criticality of cybersecurity, and their perspective can deliver tremendous value in a time of crisis. However, many are more likely to say the value they add is in more traditional board oversight areas, such as capital allocation, succession planning, enterprise risk management, or even mergers and acquisitions. The good news is that directors are hungry for knowledge about leading practices, and they welcome the perspective that can be gained from external advisors and experts.
Build board cybersecurity expertise
To realize a greater benefit from corporate boards as it relates to their cybersecurity governance, organizations should consider ways to expand the cybersecurity knowledge that is resident on their boards. An EY analysis of proxy statements and Form 10-K filings over the past five years quantified gains that have been made as companies rise to the challenge.
For instance, Fortune 100 disclosures of director cybersecurity skills and expertise increased to 61% of the 74 companies included in 2022, up from 35% in 2018. Additionally, just over half (51%) of Fortune 100 corporations studied this year reported at least one director with cybersecurity expertise in their biography. That is up from 28% in 2018.
Elevate the board’s cybersecurity risk focus
While cybersecurity is a responsibility of the full board, most Fortune 100 companies (88%) now assign oversight to at least one board-level committee, up 16% over 2021. In some instances, cybersecurity may be delegated to a subcommittee, but it is a priority for the full board. Oftentimes it falls to the audit committee.
To further their progress and increase cyber resilience, boards should engage in cyber readiness simulations with the companies they advise to understand where there are opportunities to strengthen cyber defenses, as well as what the board should expect when notified about an incident. For example, only 9% of companies disclosed that they engage in cyber threat simulations and response readiness tests, but even that is up from just 3% in 2018.
The board and corporate management need to be on the same page before a ransomware attack occurs and should decide whether a ransom payment would be approved and under what circumstances. That agreement can be worked through as part of a cybersecurity breach simulation, instead of making decisions in the heat of the moment.
Keep the board abreast of management progress
While board members should raise questions about cybersecurity, they also should receive regular management reports. Just over two-thirds (68%) of Fortune 100 companies are disclosing the frequency of their management reports to their board. That is about twice what was disclosed in 2018.
If a board does not receive regular reports from management, particularly from the chief information security officer (CISO), it’s crucial that they request these updates. In receiving specific updates and disclosing them, boards help stakeholders recognize that cyber is viewed as an enterprise risk, not just an IT risk.
Stay current on public policy and other cybersecurity developments
Collaboration with industry groups, policymakers and peers can be helpful as boards seek to stay current on advancements in cybersecurity practices and requirements that may be written into future laws or regulations. For instance, if proposed SEC regulations are finalized, an organization is required to disclose a material cybersecurity event in a Form 8-K within four days of the attack if there is a “substantial likelihood” that a reasonable shareholder would consider the event important. Periodic updates will be necessary thereafter.
It is also good practice for boards to schedule deep-dive briefings with independent third-party experts to help them evaluate whether their company’s cyber risk management program meets their objectives.
Mind the cyber governance gap with vigilance
Although companies are making progress, more work remains to defend and respond against the eventuality of a cyberattack — from the top down. Boards have a fiduciary responsibility in their governance capacity to set the tone with their vigilance, engage with the business on its cybersecurity, and demonstrate the criticality of cybersecurity risk mitigation and management through their questions and communication. In doing so, boards also demonstrate to investors and other stakeholders that, with senior management, the company has established a cybersecurity management structure to defend against cyber risks and quickly respond in the event of an attack.