We’re not surprised. In most cases, management still reports on cybersecurity with imprecise scorecards like red-yellow-green “heat maps,” security “maturity ratings,” and highly technical data that are out of step with the metric-based reporting that is common for other enterprise reporting disciplines.
Boards deserve better. We recognize that cybersecurity is a relatively young discipline, compared to others under the umbrella of enterprise risk management (ERM). But it’s not a special snowflake. Management can and should deliver reports that are:
Transparent about performance, with economically-focused results based on easily understood methods.
Benchmarked, so directors can see metrics in context to peer companies or the industry.
Decision-oriented, so the board can provide oversight of management’s decisions, including resource allocation, security controls, and cyber insurance.
While that level of reporting may still be aspirational for some companies, directors can drive their organizations forward by asking the following five questions, and demanding answers backed by the sorts of metrics and reports that we suggest below.
Before we get to the questions, there’s an over-arching prerequisite for sensible reporting: Every key performance and risk indicator should be tracked against a target performance or risk appetite, respectively.
That means defining risk tolerances in an objective, clear, and measurable way—for instance, “our critical systems downtime should always be less than one percent”—so that an analyst’s gut feelings aren’t determining results.
1. What is the threat environment that we face?
The chief information security officer or chief risk officer should paint a picture of the threat environment (cybercriminals, nation-states, malicious insiders, etc.) that describes what’s going on globally, in our industry, and within the organization. Examples of good metrics and reports include:
Global cyber-related financial and data losses
New cyber breaches and lessons learned
Trends in ransomware, zero-day attacks, and new attack patterns
Cyber threat trends from ISACs (information sharing and analysis centers)
2. What is our cyber-risk profile as defined from the outside looking in?
Boards should get cyber-risk assessments from independent sources. Useful sources of information include:
Independent security ratings of the company, benchmarked against peers
Third-party and fourth-party risk indicators
Independent security assessments (e.g., external consultants and auditors)
3. What is our cyber-risk profile as defined by internal leadership?
Management should provide assessments with tangible performance and risk metrics on the company’s cybersecurity program, which may include:
NIST-based program maturity assessment
Compliance metrics on basic cyber hygiene (the five Ps): passwords, privileged access, patching, phishing, and penetration testing
Percentage of critical systems downtime and time to recover
Mean time to detect and remediate cyber breaches
4. What is our cyber-risk exposure in economic terms? Based on the company’s cyber-risk profile, the central question is: What is the company’s potential loss?
In the past 30 years, we have seen that question answered in economic terms in each and every risk discipline in ERM: interest rate risk, market risk, credit risk, operational risk, and strategic risk. Now we need to address that question for cyber risk. This expectation can also be found in the U.S. Securities and Exchange Commission’s new guidance on cybersecurity disclosures and its focus on quantitative risk factors.
The Factor Analysis of Information Risk (FAIR) methodology is a widely-accepted standard for quantifying cyber value-at-risk. The FAIR model provides an analytical approach to quantify cyber-risk exposure and meet the heightened expectations of key stakeholders.
In the current environment, directors should demand more robust reporting on metrics such as:
Value of enterprise digital assets, especially the company’s crown jewels
Probability of occurrence and potential loss magnitude
Potential reputational damage and impact on shareholder value
Costs of developing and maintaining the cybersecurity program
Costs of compliance with regulatory requirements (e.g., the EU’s General Data Protection Regulation)
5. Are we making the right business and operational decisions?
Cyber is not simply a technology, security, or even risk issue. Rather, it is a business issue and a “cost of doing business” in the digital economy. On the opportunity side, advanced technologies and digital innovations can help companies offer new products and services, delight their customers, and streamline or disrupt the supply chain. As a top strategic issue, management should provide the board with risk and return metrics that can support effective oversight of business and operational decisions, such as:
Risk-adjusted profitability of digital businesses and strategies
Return on investment of cybersecurity controls
Cyber insurance versus self-insured
We believe the number should be zero when it comes to the percentage of directors dissatisfied with the cybersecurity information provided by management. Based on our own observations of board reports on the quality of cybersecurity reporting, there remains significant gaps. We hope our article will serve as a framework for directors and executives to discuss ways to close those gaps.
Investors are on to a definite theme these days—and Kinder Morgan and Anadarko Petroleum Corp. are the latest companies to experience it.
Earlier this month, investors in the energy infrastructure giant backed shareholder resolutions calling for more transparency and reporting on how Kinder Morgan is addressing the impacts of climate change and mitigating the risks. A similar resolution at Anadarko also received a majority vote this month.
As I wrote in a recent NACD blog, one consequence of this growing focus on climate risks is that investors, led by major money managers such as BlackRock and State Street, are increasingly emphasizing the role of corporate boards in driving company responses.
And now Systems Rule, a new report from Ceres, shows that investors are right to push for strong governance systems for sustainability.
Our analysis of board governance practices and performance data of large global companies found that businesses that integrate sustainability priorities such as climate change into board mandates, director expertise, and executive compensation also demonstrate strong performance on sustainability issues.
The report provides important insights for boards to pay attention to as they consider how to oversee climate-change-related risks and strategy.
But here’s the issue: Most large companies aren’t among these performers because they still have fragmented systems of board governance, especially when it comes to sustainability oversight.
This is partially true because many directors and company leaders still do not understand the material impacts associated with environmental and social issues, like climate change. In fact, Systems Rule noted that only 17 percent of corporate directors have demonstrated expertise in sustainability issues.
For companies to get moving and establish governance systems that can deliver commitments and performance on climate change, the whole board needs to start by establishing some baseline fluency that will help them understand when these issues could in fact be material.
Developed specifically to increase board fluency in climate change, the report provides an overview of the different ways that climate change can impact an enterprise and how boards can integrate climate change oversight into their responsibilities in the boardroom.
It’s designed to be a valuable tool for corporate directors who want to educate themselves on what this issue means to their business and what they can do about it.
So how practically can directors build climate competency into their board?
Formally include oversight of climate-change-related issues in the board structure. Formalizing climate change’s importance to business by including it in board committees’ mandates ensures the topic is regularly discussed. Citigroup, Ford Motor Co., and Nike are just a few of the companies that do this.
Recruit climate-competent directors. Committees should cast a wide net through the nominating process so they can consider candidates with diverse backgrounds and expertise in addressing climate change.
Integrate climate change into strategic planning and risk oversight. Directors should ensure that management takes the business impacts of climate change into account at every level of the company. Businesses including BHP Billiton and Shell conduct scenario analyses to assess the impacts of climate change on their portfolio of assets and business policies.
Tie executive compensation to actions that mitigate climate change. To encourage action, executive compensation can be tied to a company’s progress on addressing and opportunities, such as cutting greenhouse gas emissions. Xcel Energy links 30 percent of its executive compensation to carbon emission reduction goals.
Promote climate change disclosure. Without robust disclosure, investors cannot accurately analyze how a company is responding to climate change. Companies including Aviva, Unilever, and Zurich Insurance committed to updating their disclosures based on new Task Force on Climate-related Financial Disclosure (TCFD) guidelines.
The takeaway from our research is clear. It pays for companies and boards to adopt strong board oversight systems for climate change. But as a first step, boards should first develop climate fluency to understand the material risks their company may face. Fluency with the issues and strong, holistic governance systems will lead to the performance impacts that investors and other stakeholders want to see.
Veena Ramani is program director of capital market systems programs at Ceres.
From the recent botnet attack on home and small-office routers to renewed attention to cybersecurity at the U.S. Securities and Exchange Commission (SEC), directors of companies are tasked with understanding and overseeing a mounting range of information about cyber risks. Recognizing that directors need oversight-specific resources to guide their understanding of this critical risk, the National Association of Corporate Directors (NACD), Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University (CMU) partnered to develop the Cyber-Risk Oversight Program.
The program is tailored specifically to the needs of the director and is updated periodically with webinars to provide context on the most recent developments in cybersecurity. Students who complete the course and pass a series of quizzes are awarded the CERT Certificate in Cybersecurity Oversight. They also join a group of their peers who are publicly acknowledged for having completed the program.
“Cyber-Risk Oversight: Boardroom Update” is the first installment in our Cyber-Risk Oversight webinar series. Completion of the program is not a requirement to view this webinar. Some chief insights from the webinar follow.
What’s New in the Threat Environment
According to the 2017 Cybercrime Report, published by Cybersecurity Ventures and the Herjavec Group, cybercrime will cost the global business market $6 trillion annually by 2021. Summer C. Fowler, a member of the CERT Institute faculty at CMU and an instructor in the Cyber-Risk Oversight Program, says that this considerable cost suggests that directors should pay closer attention to cyber-risk oversight, as cyber risks take a material toll on companies. Below is a summary of some of the more pressing threats discussed in the webinar.
Just under three quarters of cybersecurity breaches to companies’ systems come from an outside source, while 27 percent are from insiders. Fifty percent of the breaches are made by criminals acting with financial gain in mind.
Small businesses have become a primary target for cybercriminals because they oftentimes do not have sufficient resources to defend themselves. Directors of these types of companies and nonprofits should ask questions of the organization’s executives to understand how data is being protected.
The average time to discover a breach is six months, which is down from seven months from 2017. This number is alarming, as cybercriminals are still spending significant time in systems without being detected.
Members of boards of directors are very often the targets of whaling attempts, which are phishing attempts in which an e-mail is received that looks like a critical, legitimate request. For example, an e-mail may be drafted to appear as though it has come through the chain of command. There will often be multiple people targeted at once through these attempts, to increase the appearance of legitimacy. Whaling can be extremely convincing, and directors should receive training on how to avoid falling victim to these attacks.
Cybersecurity and the SEC
In recent years the corporate approach to cybersecurity has shifted from a reactive to a proactive mindset. These shifts have also been significant from a legal perspective, as ensuring cybersecurity and data protection becomes the responsibility of many people, rather than one single person. Cybersecurity also has become a priority for the SEC. In 2011, the SEC’s Division of Corporate Finance issued guidance on how companies should approach disclosure of a breach to investors. While the chief regulator of public companies has not since made any specific rules on reporting of cybersecurity incidences, it restated its guidance on what it expects companies to do to be transparent to shareholders about breaches. In February, the SEC released guidance for companies to consider when evaluating cybersecurity risks for disclosure. The SEC suggests that the board needs to think about more than the concrete costs of recovering after a cyber breach.
The factors that a board should consider in cybersecurity disclosure are:
occurrence, frequency, and severity of prior cybersecurity incidents;
probability and potential magnitude of cybersecurity incidents;
adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
aspects of the company’s business and operations that give rise to material cybersecurity risk;
costs associated with maintaining cybersecurity protections;
potential for reputational harm;
existing or pending laws and regulations that may affect the cyber requirements; and
litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
Are you interested in earning a respected credential in cyber-risk oversight at your own pace? NACD members and those who are not yet members are encouraged to watch the webinar embedded above to preview the course’s offerings and to register for the course.