Last month I wrote a post for this blog about the Securities and Exchange Commission’s proposals for more disclosure of cybersecurity issues. We reviewed some of the governance disclosures that boards might need to make, as well as the practical challenges of assessing whether or not a cybersecurity incident is material.
Another important element to these proposals needs examination, too: how management defines and fulfills its oversight of cybersecurity on a day-to-day basis. For example, the SEC proposal would require companies to disclose in the annual report:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, including the prevention and remediation of specific incidents
- How those people or committees are informed about and monitor cybersecurity incidents
- Whether and how often management reports to the board of directors (or a committee of the board) about cybersecurity risk
We don’t yet know when the SEC might adopt final rules about cybersecurity oversight, or what those rules might look like. That said, clearly the SEC wants senior corporate leaders to think about how they manage cybersecurity threats, and how they translate those technical matters into a business context the board can understand.
Those are goals every organization should pursue, regardless of any SEC requirement. So, let’s consider how to achieve them, and the role risk and compliance officers can play.
Begin by bringing together the right people.
First, understand that cybersecurity threats come from many different directions. You could have great technical controls, but employees who still fall for phishing attacks; you could have a security-conscious workforce, but poorly configured devices and software. You could have great technical controls and a savvy workforce, but nobody grasped the full scope of your regulatory obligations, so that one-in-a-million cyberattack that did succeed left you facing massive enforcement and litigation costs.
To combat such a multi-headed threat, one wise strategy (one telegraphed by the SEC in that first bullet point above) is an in-house risk committee that talks about cybersecurity and how it could strike in your particular enterprise.
The CISO is the logical candidate to chair that committee, but compliance, the legal team, and representatives from other important first- and second-line functions should all be part of this committee too. Then ask yourselves:
- What are our business plans? How are they changing, if at all?
- What security threats exist? What new threats or tactics are emerging?
- What regulatory obligations do we have for privacy, security, and incident response? Have those regulations changed at all?
The goal here is to understand how a cybersecurity threat might strike your business. Maybe it’s a new type of attack coming from outside your organization; maybe internal operations have changed (an expansion, an acquisition, a reduction in force), and controls or policies that worked before no longer do. Or maybe the regulatory environment has changed, and the costs of a compliance failure have grown high enough that new policies or controls are warranted.
Whatever the circumstances, an in-house risk committee can identify those cybersecurity challenges and decide on solutions: new technical controls, new policies, more training, or some other action. But without that in-house committee, different parts of the enterprise grapple with cybersecurity threats while operating in silos. That’s a surefire way for critical steps to go overlooked.
To do all this, several risk management and compliance capabilities will become more important. Among them:
- Business continuity
- Collecting documentation from third parties
Those capabilities help your in-house risk committee anticipate the operational and compliance risks that arise from weak cybersecurity. Then you can set remediation priorities as warranted and see that those remediation steps get done in a timely manner.
Brief the board about business risk, not IT details.
Even after you identify your cybersecurity risks and develop a plan to address them, senior management still needs to brief the board on those issues – and you need to brief the board in a way that helps directors to make decisions, rather than leaves them confused or unclear on the risks at hand.
For example, the following two sentences address the same issue:
- “We encrypt all personal data in our possession and require that of our third parties, although we’re working to obtain security audits for our top technology vendors.”
- “We’re confident that we’re GDPR-compliant in our own operations, but we’re still working to assure that with our IT supply chain; either we accept that regulatory risk or we bring certain IT operations back in-house.”
Which one is more useful to the board? The second, because it helps directors understand the trade-offs between two objectives: lower costs in exchange for higher regulatory risk. Then the board and senior management can have a more productive conversation about what to do next.
Whether it’s the CISO or the compliance officer who leads these briefings with the board, the goal should always be to explain how cybersecurity issues affect the company’s ability to achieve its objectives. When you bring together the right people within your enterprise and use technology to deliver the risk analysis capabilities you need – then compliance and risk teams can deliver the insights that CEOs and the board need to guide the whole organization.
And really, who needs an SEC rule to see that’s a good idea?
For more information on how to manage this in your organization, check out some of the NAVEX resources related to cybersecurity, risk and compliance.