Now corporate boards have responsibility for cybersecurity, too | MIT News
A new ruling from the U.S. Securities and Exchange Commission (SEC), known as the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, went into effect last fall. The ruling requires public companies to disclose whether their boards of directors have members with cybersecurity expertise. Specifically, registrants are required to disclose whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks; the processes by which the board is informed about cyber risks, and the frequency of its discussions on this topic; and whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.
“In simplest terms, boards are on the hook for management, governance, and disclosure reporting,” explains Keri Pearlson, executive director of the Cybersecurity at MIT Sloan Research Consortium (CAMS). “While there is a lot of interpretation left to do, this we know for sure.”
Also well understood is the increasing likelihood of hacking events and the exponential cost to companies. Despite recent efforts to beef up cybersecurity by companies and governments worldwide, data breaches continue to increase year over year. Data show a 20 percent increase in data breaches from 2022 to 2023. Given the rapid proliferation of digital work and digitization in general, this should come as no surprise. As noted by the SEC in a fact sheet accompanying the recent rulings, “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third-party service providers for information technology services, including cloud computing technology.”
Cyber resilience: respond and recover
Pearlson’s ongoing research includes organizational, strategic, management, and leadership issues in cybersecurity. Her current focus is on the board’s role in cybersecurity. In a January 2023 MIT Sloan Management Review article, “An Action Plan for Cyber Resilience,” Pearlson and her co-authors suggest that board members must assume that cyberattacks are likely and exercise their oversight role to ensure that executives and managers have made the proper preparations to respond and recover.
“After all, if we assume every organization has a likely risk of being breached or attacked, and it’s not possible to be 100 percent protected from every attack, the most rational approach is to make sure the organization can recover with little or no damage to operations, to the financial bottom line, and to the organization’s reputation,” says Pearlson. To properly mitigate cyber risk, company leaders must have rock-solid plans in place to respond and recover quickly so that the company can continue to operate. They need to be cyber resilient.
Pearlson compares cyber resilience to Covid resilience practices. “We did things like stay home, wear masks, and get vaccines to both reduce the chances we got Covid, but also to reduce the consequences of getting sick.”
In other words, the current, protection-oriented approach most companies take to cyber is not enough. Protection only helps us mitigate issues we know about. But cyber criminals are innovative, and we don’t know what we don’t know. They seem to continually find new ways to break into our systems. Pearlson talks about the need to be resilient and how that kind of thinking comes from the top. “While boards have been getting reports on cybersecurity for a long time, these are typically once a year and not focused on the data that boards need to ensure their companies are resilient,” says Pearlson.
In their May 2023 Harvard Business Review article, “Boards Are Having the Wrong Conversations About Cybersecurity,” Pearlson and co-author Lucia Milică comment on the inadequacy of typical cybersecurity presentations during board meetings, which usually cover threats and the actions or technologies the company is implementing to protect against them. “To us, that is the wrong perspective for board oversight. We know we cannot be completely protected, no matter how much money we invest in technologies or programs to stop cyberattacks. While spending resources to protect our assets is critical, limiting discussions to protection sets us up for disaster.”
Instead, the conversation needs to focus on resilience. For example, instead of going into detail in a board meeting on how an organization is set up to respond to an incident, members must focus on what the biggest risk might be and how the organization is prepared to quickly recover from the damage should that situation happen.
Assessing risk using a Balanced Scorecard approach
To that end, Pearlson developed the Board Level Balanced Scorecard for Cyber Resilience (BSCR), designed to help boards and management have more productive discussions and understand the organization’s biggest risks to cyber resilience. Inspired by Kaplan and Norton’s Balanced Scorecard, a well-known tool for measuring organizational performance, Pearlson’s BSCR maps these key risk areas into four quadrants: performance, technology, organizational activities (such as people and compliance requirements), and supply chain. Each quadrant includes three components:
- A quantitative progress indicator (red-yellow-green stoplight) based on the organization’s existing framework for cybersecurity controls such as CISA Cybersecurity Performance Goals (CPG), NIST SP 800-53, ISO 27001, CIS Controls or other controls assessments;
- The biggest risk factor to organizational resilience according to C-level leaders; and
- A qualitative action plan, where C-level leaders share their plan to address this risk.
The scorecard helps orient board reporting and conversation on the focus areas around which the organization should be concerned in the event of a cyberattack — specifically, the technology, the financial side of the business, the organizational side, and the supply chain. While some companies may require other quadrants, the idea is that each of those focus areas should have quantitative measures. By looking at these indicators together in a single framework, leaders can draw conclusions that might otherwise be missed.
“Having controls is nothing new, particularly for publicly traded companies that have a program for measuring and managing their cybersecurity investments,” says Pearlson. “However, there is a qualitative risk that often doesn’t come across in those measurements. While a typical control may measure how many people failed the phishing exercise, which is an important component of cybersecurity, the scorecard encourages businesses to also understand what is at risk and what is being done about it.” You can read more about the scorecard in this recent Harvard Business Review article.
Providing boards the information they need
The vast majority of leaders understand they are in jeopardy of an attack — they just don’t know how to talk about it or what to do about it. While it’s easiest for cyber executives to report on technology metrics or organizational metrics, this information does not help the board with their job of ensuring cyber resilience. “It’s the wrong information, at least initially, for conversations with the board,” says Pearlson.
Throughout Pearlson’s research, cybersecurity leaders, board directors, and other subject matter experts expressed their interest in key information about system assets, proactive capabilities, and how quickly they could recover. Some wanted to better understand what data types their company maintained, where they were maintained, the likelihood of compromise, and the impact that compromise would have on business operations. More than half of the participants wanted to know the financial dollar value involved with breaches or cyberattacks on their organization.
Pearlson’s BSCR helps to put these risks in the context of specific areas or processes that are core to the business and to address nuances, such as: is this an immediate risk or a long-term? Would a compromise in this area have a minimal impact or a huge impact?
“A Balanced Scorecard for Cyber Resilience is the starting place for the discussions about how the business will continue operations when an event occurs,” says Pearlson. “It is not enough to invest only in protection today. We need to focus on business resilience to cyber vulnerabilities and threats. To do that, we need a balanced, qualitative assessment from the operational leaders who know.”
Pearlson teaches in two MIT Sloan Executive Education courses that help individuals and their organizations be more resilient. Designed for non-cyber professionals, Cybersecurity Leadership for Non-Technical Executives helps participants become knowledgeable in the discussion. Cybersecurity Governance for the Board of Directors assists board members, C-suite leaders, and other senior executives in quickly gathering essential language and perspectives for cybersecurity strategy and risk management to better carry out their oversight and leadership responsibilities.