Topics:   Compliance,Cybersecurity,Legislative & Regulatory,Regulations & Legislation,Risk Management

Topics:   Compliance,Cybersecurity,Legislative & Regulatory,Regulations & Legislation,Risk Management

July 18, 2019

Overseeing Cyber Risks in a Complex Regulatory Landscape

July 18, 2019

Organizations face increasing cybersecurity risks and threats to their customers, financial information, operations and other data, processes, and systems—and state and federal governments are alert to the threats imposed on their constituents. To understand just how widespread concerns about these risks are, look no further than the abundance of cybersecurity legislation that is currently on the dockets of state legislatures across the country.

For example, California, New Jersey, Washington, and Illinois are among the latest states to enact breach notification legislation that will significantly impact businesses operating in those jurisdictions by defining whether, when, how, and to whom notifications of a breach must occur. Some of these laws are going into effect just months after being signed and the cost of noncompliance can be severe (in California, fines are assessed per record breached).

As stewards of the strategy, finances, reputation, and overall direction of an organization, corporate directors have an important role to play in ensuring adequate policies and protections are in place to answer the demands of such regulations—and that their whole board is ready to meet the oversight demands of new regulations.

Directors are in a position to provide the leadership and strategic direction necessary to help their organizations balance the need to safeguard information, minimize disruption in case of an attack or breach, provide transparency, and manage a sustainable cybersecurity program with competing strategic priorities.

There are four key steps boards should take to ensure adequate cybersecurity program development and oversight in response to emerging regulations and threats:

1. Understand the threat landscape and how companies are expected to respond under the law. Corporate directors and leaders need a clear picture of the threats at play to assess and implement an appropriate response framework that both meets the business’s needs and is compliant with a complex web of laws.

Adversaries’ tactics will vary based on their motivations. Nation-states may be focused on cyber warfare while garden variety criminals (including internal threats) are likely to commit fraud or steal information. Each of these threat types will warrant their own response, and may also warrant involving different law enforcement and regulatory agencies.

It is also important to note that the nature of threats will vary by industry. A real estate company is likely to face a higher risk of wire fraud, while a manufacturer might be a target of theft of information by foreign governments. Directors should spend time in their busy schedules understanding the appropriate responses required per industry-specific regulations.

In addition, the range of threats—from phishing and social engineering to attacks on the supply chain—is constantly shifting. Boards must be aware of emerging threats, ensure they have the right team in place as first responders, and ensure people and processes are in place to help mitigate and address regulatory and compliance consequences from cyber incidents.

2. Ask relevant executives, leaders, and legal counsel the right questions. The board is tasked with gathering information from leadership, but the value of the exercise is dependent on asking the right questions. This ability becomes much more acutely important in light of a cyber breach, but should be practiced early and often. While these types of questions have been suggested for review by many in the cybersecurity community, it is worth asking the following in light of increased regulatory action:

  • On risk: What are our risks and how are they being mitigated? Who is the owner of a particular risk?
  • On capabilities: What are the people, tools, and processes we have in place to implement our cybersecurity framework? Do these comply with the demands of new and existing regulations?
  • On controls: What controls are currently in place? What are the organization’s cybersecurity policies and procedures (e.g., incident response plan) and when were they last reviewed, tested, and updated? What training do employees receive regarding privacy and security?
  • On trends: What industry-leading best practices should be considered? What stories of disaster should we read and learn from?
  • On regulation: What is taking shape at the local, state, and federal levels that will impact the business? What is the plan to get compliant and stay compliant?

3. Know the potential costs and how they influence risk tolerance. In the event of an attack, it will be important to demonstrate to regulators good faith efforts to identify and remedy risks. The extent to which an organization can show regulators that they did the work up front and put controls into place based on industry standards and best practices will determine the strength of their case for reduced penalties. For most organizations, cybersecurity incidents and regulatory noncompliance are associated with legal, financial, and reputational risks.

Compliance and risk mitigation come with their own set of financial costs. In Arizona, the maximum fine is $500,000 per breach event while Alabama can impose a fine of $5,000 per day for failure to comply with its notification law. To make decisions about risk tolerance, companies need to balance the risk with the cost of everything from business interruption to notification costs and potential fines.

Directors of companies should also closely review their own director and officer liability insurance policies frequently to see if cyber-risk-related incidents are covered.

4. Establish metrics for governance. One of a board’s most important roles is to establish and assess metrics to enable oversight of the company’s cybersecurity program. The board should prioritize the development of a well-documented plan that is designed to account for and address evolving regulations, including a board-level metrics portfolio focusing on the following categories:

  • Program status, including cybersecurity strategy milestones and program tracking;
  • Internal environment updates such as patching and the state of infrastructure, and the capacity of people to prevent phishing and data loss;
  • External environment updates, including the ability to gather threat intelligence and respond to emerging cyberthreat trends;
  • Compliance and audit figures on cybersecurity audit planning and regulatory compliance tracking; and
  • Response figures on disaster recovery, business continuity, and incidence response planning.

Board members’ oversight of cybersecurity programs is crucial to protecting business interests from current and future threats. This requires boards to take an active role in strategy, validation, detection, and response plans, ultimately steering the dialogue with stakeholders to better understand, assess, and identify cybersecurity needs and deficiencies that need to be addressed.

It is impractical and inefficient for organizations to revamp their cybersecurity risk management program each time a new law goes into effect. Organizations with a presence in multiple jurisdictions should instead think holistically about their programs. With the cyberthreat landscape constantly changing, it requires that risks be regularly weighed against strategic goals—and that the company meets the regulatory demands created to protect businesses and consumers alike. By ensuring the quality of a company’s cybersecurity framework through leadership and oversight, a board can fulfill its obligation to protect the overall health and sustainability of the organization.

David Ross is a principal and the cybersecurity and privacy practices lead at Baker Tilly.


Shelley LeibowitzJuly 24, 2019

An excellent and clear summary for effective Board oversight. Well done, and well articulated.