July 24, 2019
July 24, 2019
A recent Accenture report finds that as the challenges of cybersecurity continue to rapidly change, increasing in impact and complexity, the cost of resolving cyberattacks is also on the rise. In fact, in 2018, the average cost of cybercrimes on affected companies increased by 12 percent from the year before, reaching $13 million per company. As these mutating threats grow in volume, sophistication, and scope, companies and their boards will be forced to play catch-up with threat actors constantly adapting their cybersecurity defenses.
Admiral James Stavridis, former Allied Commander of NATO, has been consistently beating the drum for enhanced cyberprotection for years, and remains concerned about the varied risks originating from cyberbreaches. Stavridis recently joined NACD to share his insights into board governance of this ever growing threat. He’s currently operating executive of the Carlyle Group, chair of the board of counselors of McLarty Global Associates, and chair of the board of the US Naval Institute. He is also a monthly columnist for TIME magazine, and chief international security analyst for NBC News. Admiral Stavridis will be a featured speaker at the NACD 2019 Global Board Leaders Summit.
Boards largely recognize the growing significance of cyber risks. The 2018–2019 NACD Public Company Governance Survey finds that roughly 77 percent of directors have reviewed their company’s current approach to securing its most critical data assets against cyberattacks. That said, boards remain concerned about governance of this risk area; according to the same survey, 97 percent of respondents report oversight of cybersecurity as an important area of improvement. And they are right to be concerned, as just half (50%) express confidence that their companies are properly secured against a cyberattack.
Directors’ anxieties over cybersecurity are well-founded, as this security issue cuts across nearly all dimensions of modern life. From national security threats to the devices we carry with us, or those found in our homes, the proliferation of digital connectivity has increased our vulnerability to these threats. For Admiral Stavridis, it’s important to disaggregate the types of risk, as each will require unique treatments and strategies to effectively address. He breaks these cyber risks down into the following:
In response to these threats, observers are debating the effectiveness of adding cyber-risk expertise to boards. Congress is getting involved, with the proposal of a bill that would push publicly traded companies to include cybersecurity experts on their boards. A separate congressional bill has also been introduced, which if passed into law, would require public companies to disclose whether directors are cybersecurity experts. Proponents of these legislative initiatives believe these would elevate oversight of this risk in the boardroom. Opponents question how expertise will be determined and by whom, as well as the effectiveness of a single-purpose director.
Admiral Stavridis falls squarely in the camp advocating for inclusion of this knowledge base in the boardroom, noting, “I do think it’s mandatory that every single firm has at least one cyber expert as a board member. So often, boards are simply not up to speed. [To mitigate against this reality,] some boards bring in a chief information officer, technology officer, or another member from the management team. But there is no substitute for having a peer in the boardroom, who broadly understands cyber, as well as the company’s approach to incorporating this risk calculation into its operations.”
He also believes in the next couple years, the United States Securities and Exchange Commission is likely to start mandating this type of expertise for public company boards. According to the Admiral, “it will resemble audit, in the sense that this will be a defined skillset, and will require a committee that focuses on its oversight.” He uses one of his boards, which established a committee on safety, technology, environment, and operations, as an example. The board decided to incorporate safety and operations into the committee’s responsibilities, as that is where much of the firm’s cybersecurity concerns are concentrated. “It’s an interesting grouping, but [to meet our company’s specific needs], that’s where we delegate governance of cyber risk, as well as the technology function,” he explained.
The Admiral believes the future of board oversight of risk is likely to skew towards cyber risk. His decades of experience, in the public and private sectors, have given him a unique perspective into these threats, boosting the legitimacy of his warnings.
This issue is not going away anytime soon. Its impact is likely to be more acutely felt in the coming years, especially as a growing number of companies leverage customer data to transform business models and create value. Effectively addressing this challenge will require an approach that incorporates not only strategy and risk management, but also legal and technological expertise. There is no panacea. There are, however, practices and processes that directors can adopt to mitigate exposure to cyber risks.
The NACD Director’s Handbook on Cyber-Risk Oversight provides practical guidance for boards across company sizes and types. Its five key principles are highlighted below: