In part 1, we explored what the board of directors were saying about cybersecurity in order to shed some light on why they may not be taking cybersecurity as seriously as they should.
In this article we’ll explore more about why their confidence is low in cybersecurity and what we should do about it.
How Confident Board Directors Are That They Know Cybersecurity
Overall, boards know substantially more about governance than they know about cybersecurity.
Many boards are happy to delegate it to the audit or risk committee and be done with it. Some board directors are of the mindset that there’s a better chance that it will happen than not, so they’ll leave it to worry about it when the time comes.
Other board directors believe that it’s an IT issue and they’re leaving it to them to make sure all the bases are covered. Companies that don’t deal with much personal information may feel that it’s not relevant enough to make it a priority, not knowing that they have just as much risk as bankers, retailers, healthcare organizations and insurers.
Perhaps the bulk of board directors don’t understand cybersecurity well enough to even ask the right questions. In some boardrooms, directors are looking around the room for someone else to come up with a responsible cybersecurity plan.
The reality is that any company with valuable assets is a target. Most of the companies that have had major media attention due to data breaches have been in the limelight because of the risk that comes with breach notification laws. There are thousands of other companies that don’t disclose cyber breaches because there’s no requirement to do so.
A leading cybersecurity lawyer spoke to public companies at the SEC’s Cybersecurity Roundtable in March 2014 and stated, “I would say that I really can’t think of a case – and we’ve worked a lot – where the disclosure thinking or analysis was driven by the securities law issues, frankly.”
In other words, board directors shouldn’t wait for the SEC to force action on their part before they become concerned enough about liability. Board directors can be held personally liable for being inactive on the issue of cybersecurity.
To date, there has been little litigation over the lack of board oversight. The more that becomes known about cybersecurity, the more likely that is to change. It’s possible that a rash of liability suits could ensue in the future if boards don’t begin to give the issue more merit. The SEC could also step up at any time and put regulations in place to require stronger oversight.
Why Boards Need a Wake-Up Call on the Issue of Cybersecurity
Cybersecurity is an enterprise-wide risk. The full board needs to gain a greater scope of understanding in this area and they need to form a responsible plan for how to manage it. It’s okay to delegate it to a committee, but the board should understand it, too.
While the audit committee may be the appropriate committee to handle it, boards should consider the increased obligations they’ve already recently taken on.
There’s no question about the severity of cyber risk, and it’s the board’s job to ask the hard questions of the IT department and get solid answers.
Experts and consultants are available to help with customized, independent evaluations and boards need to consider accepting their assistance. Employee education is a big part of creating a cybersecurity-aware culture.
Cybersecurity starts with the board taking its own security seriously. One thing to consider is a board management software program such as Diligent. This software is the first step to ensuring that board communications are secure and confidential. Diligent promotes modern governance in all aspects of board responsibilities, which means that boards are willing to take the most efficient, secure and streamlined approach to their board duties.