How Cybersecurity Experts Are Tackling Proposed SEC Rules, Working From Home, and More

The data security landscape is ever changing, and boards need to prepare themselves for future threats. To discuss insights into the challenges of overseeing cybersecurity and constant new threats, NACD, in partnership with Baker McKenzie, EY, and Optiv, brought together panelists Robyn Bew, west region leader of EY’s Center for Board Matters; Joanna Burkey, chief information security officer (CISO) at HP, Inc.; Jerry Perullo, founder of Adversarial Risk Management and former CISO at IntercontinentalExchange; James Turgal, vice president at Optiv; and Cyrus Vance, partner at Baker McKenzie. Greg Griffith, NACD senior director of partnerships and corporate development, moderated the event. Below are key questions and answers from that conversation.

What are some baseline steps you find [yourself] advising your clients to take over and over to enhance cybersecurity resilience?

Cyrus Vance: I think you have to be looking at the whole continuum of risk. It means getting a lawyer involved early in the process so that some of these investigative steps can be done with the direction of counsel, which gives the company flexibility as it goes through all these other steps along the continuum to determine what information becomes public and what information does not become public. Make sure that your board has looked at your company, has looked at its resiliency, has a game plan for when the day happens that you don’t want to happen so that there’s no confusion about who gets called.… Look at everybody who’s in the action chain in the aftermath of cyber events—the CEO, CISO, lawyers, consultants, all of that. You probably already are doing what needs to be tested before an event happens so that you are not caught out when it happens. Make sure that your leadership around cyber is steady… [and that] the communications personnel are also in the loop before anything happens. We’ve all been through crises in business. I certainly have. I think one of the most important things is to have executive leadership [that] knows how to lead through a crisis without everyone feeling scared about what they’re doing and how they’re doing.

What advice would you give to yourself or to boards or board members?

Joanna Burkey: I can’t agree emphatically enough with the need for preparedness. It’s important to think about not only being prepared so you know what to do, but also [so that] people know what they do not need to do when the time comes, especially with a cyber incident because there can be so much panic, and there’s so much unknown around it. I’ve noticed the tendency for a lot of the senior executives and board members to immediately think, Oh my gosh, I’ve got to do something. Not necessarily. Ideally, your preparation is very much predicated on getting a comfort level where they know who’s going to do what, and at least that aspect of the panic can be tamped down a little bit.… My piece of advice there is [that cybersecurity] is just another element of business. It can be a risk. It can also be an opportunity. What it means to the enterprise is very much determined by the type of enterprise you are, who you want to be, what makes your company special. Is it the [intellectual property], is it your mobile operations that make you special? What is your cyber maturity? And what’s your value proposition as an enterprise? Once you look at those three things, you as a board director don’t need to have in-depth, technical knowledge about cybersecurity. You just need to know it’s a strategic element of doing business. As long as you have somebody who is overseeing it for your enterprise, you have confidence that that’s the right somebody, you know that they have a plan, and you as a director have oversight as to whether their plan is appropriately resourced, then it’s just another business element.

What are you hearing from your clients about the proposed US Securities and Exchange Commission (SEC( rule changes and what do you advise?

Robyn Bew: Obviously there’s a lot of attention from directors on the component of the rule regarding disclosure around board expertise.… To date, we’re not seeing a lot of boards and nominating and governance committees immediately ripping up and redoing their skills matrix; board composition and recruiting take time. But boards are starting to discuss how they’re going to tell their story about the way that cyber knowledge and expertise is getting into the boardroom. That might include the skills of one or more individual directors, it might be briefings that the board receives from law enforcement or from external advisors, and so on. The other thing we’re seeing, and this is true for really any proposed SEC rule, is boards engaging with management teams and asking the questions, “If the rule was enacted as written, where are we with our ability to comply? Are we pretty close? Or what’s the gap? […] Do we need to revisit our definition of materiality? What about our escalation protocols? If there’s going to be a four-day clock that starts ticking [to report a cyber incident after the company has determined it is material], how prepared would we be?”

What can board members do to diminish the risk of successful critical infrastructure attacks?

James Turgal: The [Federal Bureau of Investigation (FBI)] has led a bunch of different initiatives. It’s all [about] the public-private partnership. You got the Information Sharing and Analysis Center, ISAC, out there.… What [Vance] is talking about is this ability for organizations within a particular industry, within a particular vertical to share information. One of the things that the FBI tried to do, and I don’t think they did it very well in the early days of cybersecurity, but excel at it today, is to be able to drive that sharing mechanism, which they really need to do…. But when companies don’t throw up the flag and say, “Oh my god, we’re in the middle of an attack,” we can’t tie the attackers to the breadth of victims we have all talked about. There’s a real need to force that kind of conversation, but also force the conversation within your industries. Where is your local ISAC? Do you know your local FBI field office cyber supervisor? Your CISO and [chief information officer] should have a speed dial to those guys because every city has one. The entire world is covered by the FBI from a cyber aspect. Knowing about the ISACs and [being] able to share that intelligence will also help keep you safe.

How are you handling the risk of working from home?

Jerry Perullo: If we had our intellectual property stolen, revealed on Twitter, how impactful would that be for us? There need to be some frank discussions to say, “That would be a bad day, but we can manage it.” That’s not our top risk. Sabotage, on the other hand, we can’t afford to be offline for more than, well, everybody’s going to say five minutes. But what’s real? Maybe it’s actually five days. You need to go through that process and you need to do that first because when you identify these threat objectives—and that’s things like extortion, sabotage, [data] theft—when you go through those and figure out what’s our mission for cybersecurity, then that adds a vocabulary for everything from that day forward. When you’re hearing about an investment, say, “Okay, how does that affect what we decided early on as our marching orders?”

With home computing, [companies will] talk about, “What’s our latest [security] software? We’re going to deploy it on all of our laptops to secure them.” But if you ask the question of how many of our employees are actually using our laptops [versus home computers], there are a lot of people that are completely operating outside of the environment. You need to look through your cybersecurity leadership for people who are just looking [to say], “When something happens, I want to be able to prove it wasn’t my fault.” That’s not what you want. You want something like that to not happen. You don’t want people to put their head in the sand or have a policy that says everyone’s going to use our equipment and now only worry about that. People are violating policy and we need to meet them where they are, because you really just want to not have an incident.