Cybersecurity, Corporate Governance and Your Board of Directors

Nicholas J Price
9 min read
Corporate technology is a double-edged sword: while it facilitates global communication and allows companies to manage and protect their most valuable information, it can also serve as a gateway for hackers into the firm's most prized information. To effectively manage cybersecurity and ensure a safe operational environment, enterprises need to recognize their security shortcomings, especially as technology continues to evolve.

This doesn't only mean evaluating flaws and patching cracks in the corporate communications armor. Companies must develop a cybersecurity policy at the director level and leverage the influence of the board to endow the organization with greater overall control.

Cybersecurity: The Time Is Now

Just how urgent is it for organizations to implement a cybersecurity plan? In late 2016, Amazon and Arby's Restaurant Group, Inc. both suffered security breaches, putting confidential user information and log-in credentials at risk. The Atlanta Journal-Constitution reports that Arby's faces multiple class-action lawsuits.

The Neiman Marcus Group Ltd. recently agreed to pay $1.6 million after a security breach made the personal data of some 350,000 shoppers vulnerable in 2013, CBS reports. Additionally, the Internal Revenue Service continues to work to control the damage caused when the personal information of close to 100,000 taxpayers was compromised in 2015, notes NBC. The IRS "has been struggling to overhaul its defenses against increasingly sophisticated cyberthreats as its budget shrinks and its staff dwindles," the New York Times reports.

The nature of such breaches and the vulnerabilities that they reveal may vary, but these organizations are not alone in struggling with cybersecurity attacks. Japanese telecommunications company NTT Group's 2016 Global Threat Intelligence Report states that just 23 percent of companies can adequately respond to a cyber incident, while 77 percent "have no capability to respond to critical incidents and often purchase incident response support services after an incident has occurred."

Not all companies are resting on their laurels. In early 2017, The Financial Times published an article in which author Keren Elazari, a cybersecurity analyst and senior researcher at the Tel Aviv University Blavatnik Interdisciplinary Cyber Research Center, explains that software companies like Microsoft and Facebook are enlisting the help of hackers to identify major security issues in need of immediate attention.

"By rewarding hackers for their discoveries," Elazari writes, "these organisations can learn from their findings, prevent security breaches, and even recruit top cyber security talent."

Nearly 80 percent of directors and general counsel at publicly traded U.S. companies feel that they now have "a good understanding of the cyber risks within their company," according to global business advisory firm FTI Consulting, Inc. and its 11th Annual Law in the Boardroom Study. That said, cyber risk preparedness "topped the list of issues keeping directors and general counsel up at night for the second consecutive year," and just 53 percent of survey respondents feel confident that they are prepared to respond to a cyberattack.

Meanwhile, in Europe, new data protection regulations require companies to assume "appropriate technical and organizational measures to ensure a level of security appropriate to the risk," as Fortune reports. Those that don't could be required to pay penalties amounting to 4 percent of their total revenues, in addition to private lawsuits. In other words, companies the world over are recognizing that the pressure to protect themselves is on.

The problem that boards face is this: companies have yet to adopt a consistent attitude and approach to cybersecurity on an enterprise level. Some directors may feel that they already have a good grasp of the threats, but that doesn't mean they've taken action. And waiting until an attack has happened puts companies at risk of data loss, the exploitation of corporate intelligence and, ultimately, a PR crisis.

Why Cybersecurity Is a Board Issue

Recently, Nasdaq published an article that explored how directors can pilot cybersecurity policies on behalf of the companies they represent. Gordon Clark, president and CEO of healthcare corporate governance resource iProtean, writes, "The magnitude of the cybersecurity threat clearly makes it a board level issue."

Recent data backs up his point. In "Cyber in the Boardroom: Time for a Cyber Risk Chair?," Deloitte reports that while the true cost of cyber crime is difficult to measure, it has been estimated that annual loss related to cyber theft could be in the ballpark of $500 billion worldwide. These attacks impact companies through intellectual property theft, operational issues, brand erosion and more.

Ensuring that the enterprise is sufficiently protected and prepared to deal with a security breach is a vital board duty, and that makes cybersecurity a practical extension of the board's responsibilities. While some directors might shy away from the subject of cyberattacks due to limited technical expertise, Clark explains in the Nasdaq article, The Board's Role in Cybersecurity, it's vital for "all board members, regardless of technical background or inclination, to participate in ensuring the right policies and practices are in place and followed." Directors, he says, should focus on "strategy, policy, and management oversight." That includes everything from IT infrastructure to security training for staff and the company's risk management plan.

While it may be widely acknowledged that companies should adopt a top-down procedure for managing cybersecurity, Deloitte argues that modern business's reliance on digital technology necessitates that boards oversee the management team's efforts to protect all digital assets. "The board of directors has a responsibility to take a more active role," Irfan Saif, U.S. Advisory Leader for Technology with Deloitte & Touche LLP, says.

Saif suggests appointing a cyber chair tasked with heading a cyber oversight effort and monitoring data protection practices. Similarly, Deloitte's DTTL Global Sector Leader for Technology, Eric Openshaw, encourages public companies "to initiate board level exploration of how best to achieve a level of proactive cyber governance and management."

The Role of Cybersecurity in Corporate Governance and the Board Agenda

To make informed decisions about cybersecurity and incorporate the issue into their agenda, boards must first have a clear picture of their company's risk profile. In an article for information security resource Infosecurity Magazine, Greg Reber, CEO of the cyber risk management firm AsTech Consulting, recommends that boards take an aggressive approach to gathering internal intelligence that stands to impact risk. This includes requesting and reviewing reports related to security training, breach response procedures, vendor partners and their own security protocols, and the organization's risk self-assessment program, which, he notes, should be executed annually.

Additionally, Reber emphasizes the value of staying abreast of new security trends and determining which organizational structure will be most effective for meeting the company's security goal ''' even if that means reorganizing the executive management team. "While companies have to look at current security posture and threat environment, putting mechanisms in place for continual improvement is crucial for success in 2017 and beyond," writes Reber.

The best way to tackle these recommendations and elevate cybersecurity as a board issue is by developing a priority list that outlines cybersecurity's new place within the corporate governance framework, along with the steps directors intend to take to maximize their involvement.

In 2014, the National Association of Corporate Directors (NACD ) worked with the American International Group and the Internet Security Alliance to produce a "must-do" cybersecurity list for the board that comprised five core principles. The importance of these hasn't diminished with time, as earlier this year, the NACD released an updated cyber-risk handbook reiterating the guidelines, which include:

  1. Boards must approach cybersecurity as an enterprise-wide risk management issue.
  2. Boards must understand the legal implications of cyber risk.
  3. Directors must have access to experts in cybersecurity and include the subject on their meeting agenda.
  4. Directors must encourage management to establish "an enterprise cyber-risk management framework."
  5. Boards must discuss risk treatment, including which risks should be mitigated, transferred and avoided, and how to do so.

By adopting this strategy, boards position themselves to positively influence cybersecurity readiness and strengthen their organizations' positions on cyber crime and enterprise threat. When directors view cybersecurity as a corporate governance issue ''' and most importantly, have a plan in place for treating it as such ''' it can take its rightful place alongside equally vital concerns like long-term planning, risk management, corporate performance and corporate responsibility.

Board Portals and Secure Communications

When a board assesses how to improve cybersecurity to safeguard an organization's staff, customers and data, the board portal can help. Communication among directors, corporate secretaries and enterprise executives teems with company intelligence and confidential data, making these exchanges a target for hackers.

What's more, with an issue as important as corporate security, the board must lead by example, establishing best practices for the exchange of delicate information that can be applied company-wide and to all forms of messaging.

The quality of board portals can vary dramatically, so there are several factors that chief information security officers should evaluate when determining the level of security they're currently receiving. These include:

  • Does the board portal provider invest in cybersecurity research and development to stay on the cutting edge of emerging threats and data breach trends?
  • Is the software provider accredited, with an upstanding history of annual SOC/SSAE 16 audits and ISO 27001 certification?
  • Does the board portal offer a device authorization solution that restricts access based on both location and device so that managers can reject unknown devices?

If there's evidence that a board portal provider might not be meeting the highest industry standards for security, including safeguarding servers and routers, vetting new hires and staff, and monitoring the board portal system for vulnerabilities, it's crucial that companies find a more trustworthy solution.

The same rule applies to messaging practices within the company. Implementing a secure messaging system with features like Touch ID, message encryption and robust access settings reduces the risk of password hacks as well as the accidental release of confidential company information. Given that just 14 percent of companies have a formal audit process related to device security according to AT&T's Cybersecurity Insights Report, gaining control over the wide array of devices and messaging platforms used by the organization is a big step toward fortifying cybersecurity overall.

Keeping the board of directors, corporate communication and customer data secure may seem like a daunting task, but incorporating cybersecurity into the board's oversight responsibilities so that security is on an equal footing with other indispensable corporate governance issues is a major step toward safeguarding an organization. While no one can guarantee that hackers will steer clear even after directors have implemented their recommendations, the board's efforts can have a dramatic influence on mitigating a potential breach. Contact us for a demo of Diligent's board portal, the most secure board portal software available on the market today.