Keeping Up with Breaches: What Your Board Can Learn from Proxy Disclosures

High-profile breaches make the news far too often, ones that compromise hundreds of millions of people’s data and that cost organizations millions of dollars. Many companies that have been hit are still working to recover from reputational and financial damages, months and even years later.

Looking beyond the big headlines, though, your board can find valuable information on cybersecurity in those companies’ proxy statements.

In 2018, the Securities and Exchange Commission (SEC) issued updated interpretive guidance to help public companies draft their cybersecurity disclosures. The guidance encourages companies to be more transparent on their cybersecurity risks and incident disclosures, including disclosing the board’s role in overseeing cybersecurity risk. But if you look at most companies’ proxy statements, their disclosures don’t really say much. In fact, they often include only a sentence or two with boilerplate language that simply states that their board or one of its committees oversees risks related to cybersecurity.

On the other hand, when you look at the proxies of some companies that have successfully managed to make it through a breach, there’s usually a noticeable difference. They are more transparent about their board’s cybersecurity oversight. Their disclosures are also more robust, spelling out in more detail what their boards are doing to get a better handle on cybersecurity.

Here are some of the things such companies are doing—and that your board can do as well to strengthen your cybersecurity policies and procedures:

• Having “private sessions” with the chief information security officer (CISO) or chief information officer (CIO). Private sessions have historically been used by the audit committee to hear from someone leading a significant risk area of the company without senior management in the room. Having a similar private session with the CISO or CIO provides an opportunity to have candid and confidential conversations, to clarify matters discussed in previous committee meetings, and to talk about sensitive topics like key risks and the adequacy of the cyber budget and resources.
• Hearing directly from third parties about the company’s security programs. Many companies are using third parties to perform cyber readiness assessments, penetration testing, breach table-top crisis simulations, and other support exercises around cybersecurity. While these third parties are generally hired by management, they can also present their findings or points of view to the full board or the committee responsible for overseeing cybersecurity. This provides an “outside-in” perspective on the company’s security program.
• Leveraging internal audit to test aspects of cybersecurity-related internal controls. Companies can use internal audit for independent testing of certain aspects of their cyber risk program. For example, internal audit can look at internal controls around user access control management, security controls, third-party vendor management, security exceptions, exception approvals, and the monitoring of expired exceptions. Internal audit can also follow up on both the results of penetration testing and suggestions for improvement.
• Paying particular attention to the company’s cybersecurity crisis plans. Most companies have accepted that they will have to deal with a cyber breach at some point, so it’s crucial to have a response and recovery plan. Boards who have dealt with breaches are disclosing their active participation in overseeing those plans.
• Including cyber oversight as part of their discussions related to company strategy. Being proactive and focusing on cyber risk at the strategy stage is also critical—ether related to ongoing businesses or the company’s focus on adopting emerging technologies in new business areas. Noting in disclosures that the board is incorporating cyber risk into its strategy discussions indicates that it is getting ahead of the risk and not leaving it as an afterthought.
• Specifying the number of times per year the board is briefed on the threat environment and the company’s progress in addressing cyber risks. Briefings seem to be happening on average about twice a year, with certain industries indicating that they are getting briefings quarterly.

More broadly, some companies are disclosing how they are staying educated related to cyber risk, either by noting annual board training or by discussing the addition of directors with specific cybersecurity expertise to the board.

Companies that have gone through a cyber crisis have experienced the process from start to finish, and they have recognized the need to be more transparent in their disclosures about the board’s role. If you haven’t been through a crisis, it can be helpful to look at such companies’ disclosures. There’s a lot you can learn. At a minimum, you can think about whether your board should be doing the same things, and if you are doing these things already, you might want to enhance your disclosures to show that you’re taking the right steps should your company be hit with a breach.

While there may not be many of the more robust disclosures out there just yet, I believe we’ll start to see more in the future—not only because the likelihood of companies being attacked is constantly on the rise but also because boards will continue to be in the spotlight as cybersecurity oversight evolves.