Corporate Boards Now Responsible for Cybersecurity
A new ruling from the U.S. Securities and Exchange Commission (SEC), known as the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, went into effect last fall. The ruling requires public companies to disclose whether their boards of directors have members with cybersecurity expertise. Specifically, registrants are required to disclose whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks; the processes by which the board is informed about cyber risks, and the frequency of its discussions on this topic; and whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.
“In simplest terms, boards are on the hook for management, governance, and disclosure reporting,” explains Keri Pearlson, executive director of the Cybersecurity at MIT Sloan Research Consortium (CAMS). “While there is a lot of interpretation left to do, this we know for sure.”
Also well understood is the increasing likelihood of hacking events and the exponential cost to companies. Despite recent efforts to beef up cybersecurity by companies and governments worldwide, data breaches continue to increase year over year. Data show a 20 percent increase in data breaches from 2022 to 2023. Given the rapid proliferation of digital work and digitization in general, this should come as no surprise. As noted by the SEC in a fact sheet accompanying the recent rulings, “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third-party service providers for information technology services, including cloud computing technology.”
Cyber resilience: respond and recover
Pearlson’s ongoing research includes organizational, strategic, management, and leadership issues in cybersecurity. Her current focus is on the board’s role in cybersecurity. In a January 2023 MIT Sloan Management Review article, “An Action Plan for Cyber Resilience,” Pearlson and her co-authors suggest that board members must assume that cyberattacks are likely and exercise their oversight role to ensure that executives and managers have made the proper preparations to respond and recover.
“After all, if we assume every organization has a likely risk of being breached or attacked, and it’s not possible to be 100 percent protected from every attack, the most rational approach is to make sure the organization can recover with little or no damage to operations, to the financial bottom line, and to the organization’s reputation,” says Pearlson. To properly mitigate cyber risk, company leaders must have rock-solid plans in place to respond and recover quickly so that the company can continue to operate. They need to be cyber resilient.
Pearlson compares cyber resilience to Covid resilience practices. “We did things like stay home, wear masks, and get vaccines to both reduce the chances we got Covid, but also to reduce the consequences of getting sick.”
In other words, the current, protection-oriented approach most companies take to cyber is not enough. Protection only helps us mitigate issues we know about. But cyber criminals are innovative, and we don’t know what we don’t know. They seem to continually find new ways to break into our systems. Pearlson talks about the need to be resilient and how that kind of thinking comes from the top. “While boards have been getting reports on cybersecurity for a long time, these are typically once a year and not focused on the data that boards need to ensure their companies are resilient,” says Pearlson.
In their May 2023 Harvard Business Review article, “Boards Are Having the Wrong Conversations About Cybersecurity,” Pearlson and co-author Lucia Milică comment on the inadequacy of typical cybersecurity presentations during board meetings, which usually cover threats and the actions or technologies the company is implementing to protect against them. “To us, that is the wrong perspective for board oversight. We know we cannot be completely protected, no matter how much money we invest in technologies or programs to stop cyberattacks. While spending resources to protect our assets is critical, limiting discussions to protection sets us up for disaster.”
Instead, the conversation needs to focus on resilience. For example, instead of going into detail in a board meeting on how an organization is set up to respond to an incident, members must focus on what the biggest risk might be and how the organization is prepared to quickly recover from the damage should that situation happen.
Assessing risk using a Balanced Scorecard approach
To that end, Pearlson developed the Board Level Balanced Scorecard for Cyber Resilience (BSCR), designed to help boards and management have more productive discussions and understand the organization’s biggest risks to cyber resilience. Inspired by Kaplan and Norton’s Balanced Scorecard, a well-known tool for measuring organizational performance, Pearlson’s BSCR maps these key risk areas into four quadrants: performance, technology, organizational activities (such as people and compliance requirements), and supply chain. Each quadrant includes three components:
- A quantitative progress indicator (red-yellow-green stoplight) based on the organization’s existing framework for cybersecurity controls such as CISA Cybersecurity Performance Goals (CPG), NIST SP 800-53, ISO 27001, CIS Controls or other controls assessments;
- The biggest risk factor to organizational resilience according to C-level leaders; and
- A qualitative action plan, where C-level leaders share their plan to address this risk.
The scorecard helps orient board reporting and conversation on the focus areas around which the organization should be concerned in the event of a cyberattack – specifically, the technology, the financial side of the business, the organizational side, and the supply chain. While some companies may require other quadrants, the idea is that each of those focus areas should have quantitative measures. By looking at these indicators together in a single framework, leaders can draw conclusions that might otherwise be missed.