Directors Discuss How to Build Cyber-Risk Resilience

“What’s the board’s role in a data breach?”

This was a question posed by one of the director attendees at a recent roundtable event hosted by NACD in partnership with Accenture on how boards can go about building greater cyber resiliency within the organizations they serve. And as a litany of companies have fallen victim to cyberattack and endured considerable financial and reputational fallout—it’s a simple question that demands a nuanced answer.

Robert Kress, managing director at Accenture, encouraged attendees not only to have a well-coordinated response plan mapped out so that it can readily be put into action if and when the worst occurs, but also to “Ask yourselves: How does the board get engaged in a breach?”

“Is there a subcommittee? How are decisions made? Which decisions should involve the board?,” Kress asked. “Breaches oftentimes happen at inopportune times such as weekends and holidays because threat actors know less-experienced people are manning the ship—if they’re working at all. A good crisis response plan should have clearly defined the role of the board, outside counsel for support to ensure you have the regulatory requirements for reporting, and arrangements with a marketing firm to handle public relations.”

One attendee shared that, after the US Government Affairs Office (GAO) released its assessment of the Equifax breach, his board asked the chief information officer to review the GAO’s recommendations and do a gap analysis. “I was surprised by how cogent those reports really were,” he said. But for him, paying close attention to how one federal entity picked apart all that went wrong in the Equifax case raised questions around how boards should think about disclosures and communicating what the company’s risk capacity is.

“Cybersecurity needs to go hand-in-hand with the broader enterprise risk management program,” Kress said. “Cybersecurity is one type of business risk that needs to be addressed broadly—in the 10-K or via a cogent response from management on how they want to mitigate that risk. And companies are improving their capabilities in detection and response processes, with the time to detect and respond to an incident getting shorter. However, the financial impact of cyber breaches continues to go up, with current research showing that the average cost of a cyber incident is between 16 and 17 million dollars.”

When it comes to improving the company’s response, a board can be a huge asset. Another director shared that, in her experience, management might offer pushback against boards that want to do tabletop exercises, seeing the process of simulating an emergency as “overdoing it.” And yet, when her boards were allowed to engage on this level, management found that the director perspective was invaluable because they were asking the right kinds of questions that challenged basic assumptions.

“It’s important you put pressure on things,” Vikram Desai, global managing director at Accenture, said in affirmation. “In my observations, the CEO will ask the CISO [chief information security officer] and the CIO [chief information officer] if everything’s good on the security front. They say it is—and nothing gets back to the board. These are dynamics that create a false sense of security.”

But despite best efforts, odds are that companies with a digital footprint will be breached at some point in time—which will in turn mean having to work with the federal powers that be. On this front, it was noted that most companies are not 100 percent compliant with federal regulations from the get go. At the very least, it’s important to have a formal plan and timeline in place for becoming compliant as a token sign of good faith for the regulators who may do a thorough investigation of the company’s cybersecurity practices. Ignoring these issues, however, is not an option.

As the conversation accentuated the integral role that the CIO has to play in the board’s oversight of cybersecurity issues, one director asked about what small-cap companies should do, as they frequently lack the financial means to attract and retain the requisite talent to help see boards through these issues. And even if there is money set aside to bring on a CIO or a CISO, the phrase “you get what you pay for” painfully springs to mind.

Here, outsourcing can be a viable option. “The smartest thing a company can do is go to a managed security services provider,” Desai said. “They can provide the ability to monitor operations, and if something happens, they can activate the incident response plan. And within the universe of security services, there is a ranking checklist that rates these companies from OK to very proficient.” 

As the afternoon progressed, the conversation began to explore a more fundamental element of cybersecurity: What part of the board should assume the primary responsibility for overseeing cyber risk? Historically, the audit committee has taken on this task largely because it was concerned with enterprise risk management in general. But as the cyberthreat landscape continues to quickly grow in scope, both Kress and Desai agreed that this might not be the best arrangement and that—at least for the larger companies with the capabilities to do so—creating a standalone technology and risk committee might be key to capably overseeing these issues into the future.

Failsafe means of prevention may be impossible and having a well-orchestrated crisis response plan is the best any company can hope for to save face in a crisis. A company that makes the best of efforts remains at high risk of losing stakeholder trust. It’s a problem too large for any one company to solve, making it imperative to identify ways in which to foster collaboration.

“We are nearing a point where boards need to ask management how they are working with other companies within the industry,” Kress said in closing. “Digital trust underpins every organization today. If we lose digital trust, there will be significant financial impacts. I think that participating in industry forums and being more willing to share knowledge with government entities about breaches can help.”

Click here to read additional coverage from this roundtable event.