Cybersecurity has become a critical topic for boards of directors for several reasons. First, cybersecurity is now an existential issue, intrinsically tied to staying competitive in the market. The rapid digitization in financial services as well as the new ways of working spawned by the pandemic have created new risks that either did not exist or were not material before.
Second, regulators are increasingly indicating that ultimate accountability for cyber risk management rests with the board. This can mean that board members are personally liable for major cybersecurity lapses. The board must therefore have sufficient cybersecurity knowledge to discharge their fiduciary duties of care and diligence.
Additionally, environmental, social, and governance (ESG) issues are featuring much more prominently on board agendas. Cybersecurity, digital disruption, and data privacy are sustainability issues that need to be managed and disclosed.
Security leaders must educate their boards on an ongoing basis, speaking language they can understand and ensuring their updates stimulate engagement and dialogue, rather than a download of technical jargon. In fact, increasingly regulators ask to see board minutes proving that boards are engaging in robust discussion on cybersecurity. Boards can no longer just accept the CISO’s memo as “read.”
Boards typically set the risk appetite for cybersecurity along with all other risks in their organizational risk framework. Directors need to understand how inherent and residual risks compare against appetite. They must understand adopted frameworks for managing cyber risks and how cyber risk management fits within the broader risk management framework. They need to be satisfied with the governance structures in place. They should understand the threat landscape in terms of how it impacts their organization as well as be aware of emerging risks. Much of this responsibility falls to the board risk committee.
Boards should ensure the risk committee dedicates enough time to carry out these duties and is flexible enough to convene should material issues arise. Outside of the usual brief quarterly update by the CISO to the full board, many risk committees hold annual or bi-annual deep dives which focus on any of the material risks that are operating outside of appetite. In many cases, cyber is one of them. Whether cyber briefings become more frequent or whether we see growth in dedicated cybersecurity committees largely depends on the effectiveness of the risk committee and whether what is elevated to the full board gives the board confidence that they are adequately discharging their risk management obligations.
The expected lifespan of a CISO at an organization is only two to two and a half years. This is largely because they are wearing more and more hats: protector, enabler, key business partner, and advisor. Regulators are placing more scrutiny on CISOs in financial services; in many cases, holding them personally accountable. This means CISOs need to carefully consider every discoverable artifact they put out, especially to the board risk committee and/or full board.When preparing for board briefings, consider the following:
Metrics too should be organized into a framework that tells a story. There are no perfect measures. There is not even all that much commonality in the measures individual institutions use across the industry when reporting to boards. However, metrics can loosely be grouped into those that track:
While boards tend to be well-versed on risk management as a topic, cyber defense is an area that is constantly evolving. It is imperative that board directors continue to increase their understanding of digital technology and cyber issues to be equipped to challenge management where necessary. They do not need to become experts, but can take courses, such as The Board’s Role in Cyber offered by the Australian Institute of Company Directors. They should also have access to independent cyber expertise, which is anyone outside of management that the board feels comfortable with, often the Big Four or other independent consulting firms.
As time goes on, boards will increasingly have cyber expertise as part of their makeup to ensure they are appropriately skilled and resourced to deal with emerging cyber risks. This may be an opportunity for CISOs of large firms to become board directors.
Now more than ever, “short-termism,” or singular focus on quarterly earnings, could render the company vulnerable to cyber threats. To balance investor expectations on sustainability and long-term viability, boards must be well-versed enough on cybersecurity to maintain an ongoing constructive dialogue with management to protect both shareholder value and cyber resilience.
As cybersecurity becomes a more material and even existential risk, boards of directors need to understand more about current and future threats and the institution’s cyber posture to discharge their fiduciary duties. CISOs should engage with the board risk committee as well as the full board and educate them so that they can have a meaningful dialogue with management. Directors should empower themselves with digital literacy and conceptual knowledge of cyber issues. The increasing importance of cybersecurity knowledge on boards may mean more CISOs will be recruited as board directors in the future.
© 2023 FS-ISAC, Inc. All rights reserved.
Elrich Engel is the Director of Cyber Security (CISO), Architecture & Data at AMP Ltd as the executive accountable for Cyber Security, Enterprise Architecture, Financial Crimes Operations & Data. Elrich was previously...Read More
the CISO at Vodafone Hutchison Australia, where he built the Cyber Defence & Response Centre (CDRC) from the ground up, restructuring and tripling the cyber practice, driving the diversity agenda and establishing the Cyber Security programme management practice, managing a multimillion-dollar annual budget. He holds a Bachelor’s degree (National Diploma) in Information Technology from the Cape Peninsula University of Technology in Cape Town, South Africa and has completed the Sustainable Business Strategy course from Harvard Business School. He serves on the advisory board of the Deakin University Executive Advisory Board for Cyber (EABC), advisory board of the Palo Alto Networks JAPAC Executive Advisory Board, is an industry advisor to CyRise - Australia's Cyber Security Accelerator, and has served as a steering committee member of the Sydney Joint Cyber Security Centre (JCSC). He was recognised as one of the Business of InfoSec 2021 Global Top 100 Leaders in Information Security. Previously, he has held various leadership positions, including Vodacom South Africa, as well as roles with Sensis (Australia), the South African Government, and several system integrators.