Cybersecurity,Investor Relations,Risk Management
November 20, 2019
Keeping Up with Breaches: What Your Board Can Learn from Proxy Disclosures
November 20, 2019
High-profile breaches make the news far too often, ones that
compromise hundreds of millions of people’s data and that cost organizations
millions of dollars. Many companies that have been hit are still working to recover
from reputational and financial damages, months and even years later.
Looking beyond the big headlines, though, your board can
find valuable information on cybersecurity in those companies’ proxy
In 2018, the Securities and Exchange Commission (SEC) issued updated interpretive guidance to help public companies draft their cybersecurity disclosures. The guidance encourages companies to be more transparent on their cybersecurity risks and incident disclosures, including disclosing the board’s role in overseeing cybersecurity risk. But if you look at most companies’ proxy statements, their disclosures don’t really say much. In fact, they often include only a sentence or two with boilerplate language that simply states that their board or one of its committees oversees risks related to cybersecurity.
On the other hand, when you look at the proxies of some companies that have successfully managed to make it through a breach, there’s usually a noticeable difference. They are more transparent about their board’s cybersecurity oversight. Their disclosures are also more robust, spelling out in more detail what their boards are doing to get a better handle on cybersecurity.
Here are some of the things such companies are doing—and
that your board can do as well to strengthen your cybersecurity policies and
“private sessions” with the chief information security officer (CISO) or chief
information officer (CIO). Private sessions have historically been used by
the audit committee to hear from someone leading a significant risk area of the
company without senior management in the room. Having a similar private session
with the CISO or CIO provides an opportunity to have candid and confidential
conversations, to clarify matters discussed in previous committee meetings, and
to talk about sensitive topics like key risks and the adequacy of the cyber
budget and resources.
- Hearing directly
from third parties about the company’s security programs. Many companies
are using third parties to perform cyber readiness assessments, penetration
testing, breach table-top crisis simulations, and other support exercises around
cybersecurity. While these third parties are generally hired by management,
they can also present their findings or points of view to the full board or the
committee responsible for overseeing cybersecurity. This provides an “outside-in”
perspective on the company’s security program.
internal audit to test aspects of cybersecurity-related internal controls. Companies
can use internal audit for independent testing of certain aspects of their
cyber risk program. For example, internal audit can look at internal controls
around user access control management, security controls, third-party vendor
management, security exceptions, exception approvals, and the monitoring of
expired exceptions. Internal audit can also follow up on both the results of
penetration testing and suggestions for improvement.
particular attention to the company’s cybersecurity crisis plans. Most companies
have accepted that they will have to deal with a cyber breach at some point, so
it’s crucial to have a response and recovery plan. Boards who have dealt with
breaches are disclosing their active participation in overseeing those plans.
cyber oversight as part of their discussions related to company strategy. Being
proactive and focusing on cyber risk at the strategy stage is also critical—ether
related to ongoing businesses or the company’s focus on adopting emerging
technologies in new business areas. Noting in disclosures that the board is
incorporating cyber risk into its strategy discussions indicates that it is
getting ahead of the risk and not leaving it as an afterthought.
the number of times per year the board is briefed on the threat environment and
the company’s progress in addressing cyber risks. Briefings seem to be happening
on average about twice a year, with certain industries indicating that they are
getting briefings quarterly.
More broadly, some companies are disclosing how they are
staying educated related to cyber risk, either by noting annual board training
or by discussing the addition of directors with specific cybersecurity
expertise to the board.
Companies that have gone through a cyber crisis have experienced the process from start to finish, and they have recognized the need to be more transparent in their disclosures about the board’s role. If you haven’t been through a crisis, it can be helpful to look at such companies’ disclosures. There’s a lot you can learn. At a minimum, you can think about whether your board should be doing the same things, and if you are doing these things already, you might want to enhance your disclosures to show that you’re taking the right steps should your company be hit with a breach.
While there may not be many of the more robust disclosures
out there just yet, I believe we’ll start to see more in the future—not only
because the likelihood of companies being attacked is constantly on the rise but
also because boards will continue to be in the spotlight as cybersecurity oversight