Cybersecurity and Corporate Boards of Directors

12331833873?profile=RESIZE_400xIn the face of unrelenting pressure from significant cyber incidents and regulatory action to mitigate them, enterprises are assessing whether they are doing enough to deal with cybersecurity.  Public companies are evaluating responses to new SEC rules calling for disclosures regarding cybersecurity strategy, risk management, and governance practices.  The SEC’s action against Solar Winds is setting off alarm bells throughout the cybersecurity community, causing CISOs to worry about personal liability and companies to reassess their D&O policies and the increasing rates of Cyber Insurance.

See:  https://www.cisecurity.org/solarwinds  

Cybersecurity incidents are unavoidable.  However, in many recent high-profile cases, these incidents have exposed governance/management weaknesses and disconnects between glowing boilerplate cybersecurity disclosure language and the actual substance of cybersecurity processes.  Companies go to great lengths to revamp their cybersecurity only after these incidents.  Where is the preparation, notification, and responsible party?[1]

There is no doubt that SEC registrants will tighten up and expand their disclosure language, particularly considering that SEC disclosure rules 8-K are effective on 15 December 2023, but there are more fundamental problems.  Company boards and C-Suites perceive their governance, management, and implementation of cybersecurity processes and procedures to be adequate.  If so, they must be surprised when incidents reveal facts that demonstrate otherwise.

Boards can be overwhelmed by the complexity of cybersecurity and the vast array of detailed management presentations addressing compliance, heat maps, penetration testing, and the like without understanding their context.  At the same time, they may be comforted by management’s actions to deal with cybersecurity and not feel the need to do more.  If so, are board members pushing cybersecurity governance out to the management team?  Governance cannot be delegated to the management team. Evidence from well-publicized breaches suggests a lack of governance or delegation to management.  Guidance on cybersecurity governance is available from NIST https://www.nist.gov, which is in the process of adding a “GOVERN” function to its cybersecurity framework as follows:

  • “GOVERN directs an understanding of organizational context; the establishment of strategy and cybersecurity supply chain risk management; roles, responsibilities and authorities; policies, processes, and procedures; and the oversight of cybersecurity strategy.”
  • Board adherence to some form of the GOVERN function is necessary to meet its fiduciary responsibility. Experienced board members are well-equipped to ask insightful questions, assess risk, and make governance decisions for most business risks and challenges.  However, in the past, the complex nature of cyber risk has caused many board members to shy away from cybersecurity and not devote the time and energy required to understand and deal with the issue entirely.  This is unsustainable as incidents and regulatory pressures mount.  Adding cybersecurity expertise to the board can be a partial fix for this problem so long as these additions are not viewed as a “Check-the-box” solution that relieves the rest of the board from its fiduciary duty.

Here are sample questions board members are asking to make this happen:

  • Is our board adhering to its fiduciary governance responsibility or delegating it to management?
  • Does the board understand the enterprise’s business functions and interactions to contextualize cyber risk?
  • Is the board and management adequately structured and organized to deal with cyber risk?
  • Has the enterprise adopted a robust cybersecurity framework it adheres to rigorously?
  • How does the framework fit into overall enterprise risk management?
  • What criteria is used to make changes to cybersecurity spending?
  • Does the board understand risk tolerance, and does it interact with management to develop a risk appetite?
  • Does the board understand cybersecurity presentations by management, or are they presented using tech jargon?
  • Do cybersecurity policies and procedures include customer, third-party, operational, and software interfaces?
  • How do cybersecurity compliance audits relate to governance?
  • What procedures are in place to respond to and report cyber breaches?
  • Does the board participate in tabletop exercises to train for responses to cyber incidents? Boards want to avoid closing the cybersecurity barn door only after an incident. To do so, they must transform their cybersecurity governance perception into reality.

 

Effective cybersecurity requires organizational changes necessary to govern and manage complex digital systems, educational changes to develop a common contextual “systems” understanding amongst the board and risk experts, and cultural changes to imprint upon the enterprise the importance of shared responsibility for cybersecurity.

The time for an enterprise-wide understanding of systemic cyber risk is today.  There is no better way for boards to be involved than to receive daily targeted cyber threat intelligence reporting delivered to their iPhones every morning by the RedXray services of Red Sky Alliance Corp https://www.redskyalliance.com/redxray  The notifications can be sent to team members and cyber threat responders. Can use cyber threat intelligence to act appropriately.  According to an IBM report written in 2022, an average cyber breach in the USA will cost $4.35 million to repair and recover from the breach.  Is it worth only a couple of thousand dollars a month to be informed of breaches before they occur and block them from returning again?

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com   

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/

Website: https://www.redskyalliance.com/

LinkedIn: https://www.linkedin.com/company/64265941

 

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

 

[1] https://www.oodaloop.com/archive/2023/12/13/cybersecurity-perception-is-reality-until-facts-intervene/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!