Topics:   Cybersecurity,Leadership,Risk Management,Strategy

Topics:   Cybersecurity,Leadership,Risk Management,Strategy

July 24, 2019

Stavridis Challenges Boards to Evolve on Cybersecurity

July 24, 2019

A recent Accenture report finds that as the challenges of cybersecurity continue to rapidly change, increasing in impact and complexity, the cost of resolving cyberattacks is also on the rise. In fact, in 2018, the average cost of cybercrimes on affected companies increased by 12 percent from the year before, reaching $13 million per company. As these mutating threats grow in volume, sophistication, and scope, companies and their boards will be forced to play catch-up with threat actors constantly adapting their cybersecurity defenses.

Admiral James Stavridis, former Allied Commander of NATO, has been consistently beating the drum for enhanced cyberprotection for years, and remains concerned about the varied risks originating from cyberbreaches. Stavridis recently joined NACD to share his insights into board governance of this ever growing threat. He’s currently operating executive of the Carlyle Group, chair of the board of counselors of McLarty Global Associates, and chair of the board of the US Naval Institute. He is also a monthly columnist for TIME magazine, and chief international security analyst for NBC News. Admiral Stavridis will be a featured speaker at the NACD 2019 Global Board Leaders Summit.

Cyber Risks Present a Unique Challenge for Our Times

Boards largely recognize the growing significance of cyber risks. The 2018–2019 NACD Public Company Governance Survey finds that roughly 77 percent of directors have reviewed their company’s current approach to securing its most critical data assets against cyberattacks. That said, boards remain concerned about governance of this risk area; according to the same survey, 97 percent of respondents report oversight of cybersecurity as an important area of improvement. And they are right to be concerned, as just half (50%) express confidence that their companies are properly secured against a cyberattack.

Directors’ anxieties over cybersecurity are well-founded, as this security issue cuts across nearly all dimensions of modern life. From national security threats to the devices we carry with us, or those found in our homes, the proliferation of digital connectivity has increased our vulnerability to these threats. For Admiral Stavridis, it’s important to disaggregate the types of risk, as each will require unique treatments and strategies to effectively address. He breaks these cyber risks down into the following:

  • Criminal activity. This comprises “for profit activity, which by some estimates may amount up to one trillion dollars a year; and can include activity such as stealing an individual’s most private and intimate details from the cloud. This particular risk presents a massive challenge for most companies today.”
  • Terrorism. “This is the work of groups whose activities are ideologically-driven and question the value of specific societal structures. These groups include the Islamic State, Boko Haram, WikiLeaks, right wing nationalist organizations, [and] international anarchist organizations.”
  • State-on-state cyber risk. “There are a lot of shadow national activities, which used to take the form of espionage, but are quickly turning into shadow wars. Hackers are infiltrating networks, planting devices, manipulating data, and producing very real kinetic effects. In this arena, the US and China are the largest rivals, but certainly not the only relevant ones—other important players include Russia, North Korea, Iran, Israel, and France.”

Cyber-Risk Expertise in the Boardroom

In response to these threats, observers are debating the effectiveness of adding cyber-risk expertise to boards. Congress is getting involved, with the proposal of a bill that would push publicly traded companies to include cybersecurity experts on their boards. A separate congressional bill has also been introduced, which if passed into law, would require public companies to disclose whether directors are cybersecurity experts. Proponents of these legislative initiatives believe these would elevate oversight of this risk in the boardroom. Opponents question how expertise will be determined and by whom, as well as the effectiveness of a single-purpose director.

Admiral Stavridis falls squarely in the camp advocating for inclusion of this knowledge base in the boardroom, noting, “I do think it’s mandatory that every single firm has at least one cyber expert as a board member. So often, boards are simply not up to speed. [To mitigate against this reality,] some boards bring in a chief information officer, technology officer, or another member from the management team. But there is no substitute for having a peer in the boardroom, who broadly understands cyber, as well as the company’s approach to incorporating this risk calculation into its operations.” 

He also believes in the next couple years, the United States Securities and Exchange Commission is likely to start mandating this type of expertise for public company boards. According to the Admiral, “it will resemble audit, in the sense that this will be a defined skillset, and will require a committee that focuses on its oversight.” He uses one of his boards, which established a committee on safety, technology, environment, and operations, as an example. The board decided to incorporate safety and operations into the committee’s responsibilities, as that is where much of the firm’s cybersecurity concerns are concentrated. “It’s an interesting grouping, but [to meet our company’s specific needs], that’s where we delegate governance of cyber risk, as well as the technology function,” he explained.

Leading Practices for Cyber-Risk Oversight

The Admiral believes the future of board oversight of risk is likely to skew towards cyber risk. His decades of experience, in the public and private sectors, have given him a unique perspective into these threats, boosting the legitimacy of his warnings.

This issue is not going away anytime soon. Its impact is likely to be more acutely felt in the coming years, especially as a growing number of companies leverage customer data to transform business models and create value. Effectively addressing this challenge will require an approach that incorporates not only strategy and risk management, but also legal and technological expertise. There is no panacea. There are, however, practices and processes that directors can adopt to mitigate exposure to cyber risks.

The NACD Director’s Handbook on Cyber-Risk Oversight provides practical guidance for boards across company sizes and types. Its five key principles are highlighted below:

  • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an information technology issue.
  • Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
  • Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  • Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

Hear Admiral James Stavridis, former Allied Commander of NATO, speak at NACD’s 2019 Global Board Leaders’ Summit, September 21-24, 2019, in Washington, DC. Register by August 31 to save $500!