Avoiding The Pitfalls In Board Cyber Oversight

In the last issue of this column, we discussed the five steps to building board cyber security. The improved board oversight of the company’s cyber climate is growing regulatory teeth. In the USA, the SEC is about to finalise mandates on cyber security risk management and governance. Periodic disclosures, risk assessment, formal procedures, and most interestingly, disclosure on the board’s cyber savvy and oversight strategies will be required. 

This is part of a global trend of regulators setting solid rules for disclosure of company cyber protections and putting boards in the bull’s eye for assuring the issues.

As an example, a few years ago, only a handful of the top economies imposed corporate data protection laws. Today, over 160 nations enforce these rules – and most can reach out to you no matter your domicile. How do you, as a board, protect the company (and yourself as a director) from cyber-tech liabilities? Here are some pointers for board of directors:

·The board can start by learning just what current cyber security regulation your company faces from regulators, governance, and your stock exchanges. Ask information security and legal staff for a summary of these rules, items regulated, required protections, oversight and disclosures, and penalties. You need good legal counsel on this, because the regulators, jurisdictions, and specific laws your company faces are as unique as a fingerprint – but the board still needs to be aware of them. What all things you are doing to keep up to date so that you make informed risk decisions? How may you achieve this? In the United States, we recommend the New York State Department of Financial Services Cyber Security Resource Centre as a good primer. 

• We have always advocated for the proper board recordkeeping and paperwork all the time, but cyber oversight is one more reason to obsess over your meeting agendas, minutes and board info packs. A hacking incident, loss of data or some other cyber fumble now brings down a litigation hammer unimagined just a decade ago. Plus, the new wave of cyber security laws focuses not just on protections and prevention, but on disclosure, both for any incidents, and on how well your defence and oversight structure worked at the time (which includes governance). When regulators and plaintiff lawyers sift through all those disclosures dump, will they find a well-documented board and committee structure and plan for cyber oversight? Will agendas prove tech items were an important part of meetings, and will your minutes back this up? Will board presentations paint a picture of solid board cyber awareness? 
• One way your board can demonstrate proper oversight is by asking questions of the CISO (chief information security officer) and other staff that oversees your company’s exposures. Much of this depends on the type of company you govern. Is there a lot of private data, or any that’s financially sensitive? What do you have that hackers would want? What could take the company down, and how could you recreate it? As with your cyber-regulatory climate noted above, each company’s cyber exposures, threats and family jewels will be unique – smart boards learn what invaders will be targeting. 
• Given the complexity of cyber and tech issues, the wise board doesn’t try to go it alone. Plan to seek third-party advice. There is so much complexity in the digital world that directors are hard pressed to be experts in all areas. Your accounting firms, consultants, and legal connections can all serve as matchmakers on assessment of your defences, penetration testing, and board education on tech, which is a crucial ongoing need. For some essentials on your advisory needs, we recommend reaching out to the Global Cyber Security Association.

Dr. MuneerRalph WardA final board cyber question, and an urgent one is how well you are personally protected from liability when the hackers break through. Directors and executives insurance coverage may or may not keep up with the fast-moving cyber liability events. A GB&A insurance brokers’ update finds that a greater number of carriers are incorporating carve-outs, especially for data privacy incidents. Vendors are acutely aware of the potential for increased liability. Still, most current claims based on data breakdowns don’t establish new liabilities, but instead cover “garden variety D&O claims, according to insurance sources. Ask your D&O broker to give your policies with an updated cyber-liability once over. 

Muneer is a Fortune 500 consultant, startup investor and co-founder of the non-profit Medici Institute
@MuneerMuh

Ralph is global board advisor, coach and publisher