In the past, some directors might have assumed they could ‘wash their hands’ of cybersecurity because it’s not their area of expertise.
But those days are now over, according to tech and governance experts Christopher Hetner and John Frazzini, writing in a joint World Economic Forum opinion piece this week.
Every single director will be expected to shoulder responsibility for cybersecurity and ensure they know enough to make an impact, the two warned, saying that the topic was now “essential.”
What are the details?
“Cybersecurity is no longer an issue reserved strictly for the IT or compliance executives, it is an issue that impacts all board members.” Hetner and Frazzini said.
They were motivated by a popular trend among regulatory watchdogs, who are enforcing stricter standards around the kinds of reporting they will accept.
Hetner and Frazzini drew particular attention to the Securities and Exchange Commission in the United States, which proposed new cybersecurity disclosure requirements in March.
These requirements would:
- Require companies to report any “material cybersecurity incidents” to authorities in a timely manner.
- Require companies to provide consistent updates on what cybersecurity risks they face and what they are doing to mitigate them.
These proposals could quickly strike fear into the boards’ hearts. For example, the phrase “timely manner” is expected to mean only a few days, and it’s up to company leadership to decide whether an incident is “material” or not.
This is a lot of work and will often come down to the board to oversee.
What should boards be wary of specifically?
Proper reporting becomes more critical as stakeholders up their expectations.
This, by the way, is more than just regulators firming up laws; investors and consumers want more accountability too, because their welfare is a risk in any cybersecurity failure.
Good reporting starts at the board level, so all directors should realise that it’s a keystone component of company strategy if they haven’t already.
Cybersecurity is not a side-project that the ‘IT crowd’ will sort out; it’s central to a company’s operation. It needs analysis, documentation, and constant performance evaluation.
Are Hetner and Frazzini alone in their concerns?
When the SEC’s rule changes hit the news back in March, there was much comment, especially around the increased burden on directors’ shoulders.
In a 2021 report, Deloitte included cyber threats as part of a “new normal” that boards would have to accept. EY has encouraged an “action-oriented approach” that will foster a top-down cybersecurity culture.
And this “new normal” has sparked a backlash in defence of boards also. Writing for Forbes, board veteran Betsy Atkins blasted the SEC’s increased burden and urged companies to “push back” against them.
If boards should be more involved, what does that look like?
It depends on the organisation, their dependence on tech and their exposure to cyber risk. However, the following are generally necessary no matter what.
- Ensuring they have the necessary training to understand cybersecurity.
- Ensuring company strategy integrates cybersecurity concerns. It’s not enough to simply acknowledge problems – mitigating them needs to be built into the company’s plan for success.
- Ensuring adequate systems for complying with watchdog reporting standards, like the SEC.
- Ensuring there is a budget in place for all of the above.
“The days where security budgets are set without business impact context are over.” Hetner and Frazzini said.
“As regulatory attention increases, it is essential for the board to ensure budgets allocated to cybersecurity risk align to mitigate the potential impact effectively.”