According to a 2018 survey conducted by Goldsmiths with responses from 1,530 nonexecutive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries, more than 90 percent of C-level execs said they could not read a cybersecurity report and believed that they were not prepared to handle a major cyber-attack.
A more recent EY study conducted in September of 2019 found some improvement in preparedness or education, but astoundingly very little.
Boards who assigned cybersecurity oversight to non-audit committees, increased by 7%. Some companies, 10% overall, indicated that the full board retained cybersecurity oversight, but only a few of these boards moved cybersecurity oversight responsibilities from the audit committee to another committee; in most cases cybersecurity oversight responsibilities were newly assigned to a non-audit committee.
Only 14% included cybersecurity as an area of expertise sought on the board or cited in a director biography, and there was only a 7% increase in the number of firms who identified at least one “point person” from management (e.g., the CISO or the chief information officer) to report directly to the board. The percentage of companies that disclosed the use of an external independent advisor regarding cybersecurity matters remained unchanged at 12% from 2018.
And a mere 9% stated that their preparedness includes simulations, tabletop exercises, response readiness tests or independent assessments.
Cyber Risk Regulations
Businesses of all sizes and stripes are increasingly required to meet strict cyber risk management mandates or face penalties. The tightening regulatory environment has prompted boards of directors to take an increasingly active role in implementing effective cyber risk management programs within their organizations in an effort to mitigate the risk of disruption to their business operations, avoid costly fines and damage to their brand as well as evade significant financial losses.
The increasing regulatory requirements and the combined personal and professional liability risks to C-level and board members are creating inflated risk for management teams who now have increased legal liability for cybersecurity events, yet lack any ability to understand cyber-threat reporting or confidence in their own organization’s ability to prevent business disruption due to a cyber-attack.
Every company that operates internationally and/or provides international guidance by way of consulting to other businesses knows that the EU General Data Protection Regulation (GDPR) significantly expands the scope and enforceability of the EU’s data privacy regime. Businesses are required to inventory all personal data, incorporate risk-based cybersecurity measures and report any data breach to the supervisory authority within 72 hours. Non-compliant organizations may be fined up to four per cent of annual global revenue or €20million (whichever is greater).
Similarly, in the U.S., the New York Department of Financial Services (NYDFS) in 2018 issued a first-of-its-kind cyber regulation impacting all New York-regulated financial institutions. The NYDFS regulation mandates the implementation of a risk-based cyber management program, the appointment of an individual to oversee the program and, in an unprecedented step this ground-breaking regulation holds company board members and senior officers personally liable for annual compliance certification.
This legislation was quickly followed by the SHIELD act, aka the New York Data Security Act which now requires all companies that hold sensitive data of New Yorkers to adopt administrative, technical, and physical safeguards for that data, similar to the GDPR, regardless of the industrial sector in which they find themselves (not just Financial institutions).
And immediately following the Equifax breach, congress created The FREE act (Freedom from Equifax Exploitation) creating a federal requirement for credit reporting agencies to freeze access to credit files at a consumer’s request, to give control over credit and personal information back to consumers, prevent credit reporting agencies from profiting off of consumers’ information during a freeze, and enhance fraud alert protections. There will be many more laws following these at both the individual state and federal levels throughout the remainder of the year.
Gambling with Risk
What is puzzling in light of these regulations and the shifting personable liability for cybersecurity breaches is why boards continue to remain so befuddled regarding what is clearly the number one threat to all businesses today. We all know and accept the fact that cyber-attacks are one of the top three threats (if not the number one threat) to all businesses today and Warren Buffet described cyber-crime as the greatest threat to mankind at his annual Berkshire-Hathaway shareholder’s conference. Yet, fewer than half of board members surveyed claim to have any visibility within their organizations as to the prioritization, identification or development of solutions to protect their company’s critical digital assets.
So, why aren’t boards responding to this threat by throwing (investing) whatever amount of money that is required at the problem until it is fixed?
If we look at financial corporate governance, we see that the challenge of investing is compounded by the fact that our brains (which excel at resolving ambiguity in the face of a threat) are less well equipped to navigate the long term with the same degree of intellectual agility. Since none of us can predict the future, successful investing relies on careful planning and continual discipline along with factual, quantitative data that can be used to support risk decisions.
In order to make a decision about risk, it is necessary to understand the costs associated with doing nothing and maintaining the status quo or investing in hedges against the risk. In cybersecurity, it is common to refer to risk in qualitative terms, but in real life, risk decisions are actually based on quantitative terms. In the pre-COVID-19 era, deciding to visit Paris was influenced not by the color-coded travel advisories issued by the State Department but rather by the then current death count resulting from terrorist attacks throughout France.
Similarly, gamblers may make what appear to be ill-informed risk decisions on a roll of the dice, but they actually control one of the key risk factors involved and that is the amount of money they are willing to wager, so there is always an element of quantitative assessment involved in the gamble. If the wager is $20, they know that $20 is the amount they may lose if things go poorly.
Board members do not have similar luxuries as they have no idea what amount of money is at stake in the cybersecurity arena and they have only the faintest idea about what all of the technological prevention and protection approaches actually do.
Bike-shedding
In fact, today’s incongruity between the extent of the Board’s cybersecurity knowledge and the level of decision-making authority they hold, is a recipe for the common malady known as bike-shedding.
Bike-shedding occurs when a team spends an unnecessary amount of time on trivial details, neglecting the big picture. It usually happens because the most important issues are so complex that teams focus instead on simpler, more solvable problems. The term originates from the story of a committee that approved flawed plans for a nuclear power plant because they wasted time discussing details about the plant’s bike shed.
So, given that context, it may be easier to understand why Board-level executives appear so reluctant to move toward greater protection against a cyber-attack. It is not due to a lack of urgency or a failure to understand the potential consequences. They are undoubtedly clear that their enterprise will be hit with a cyber-breach one day and that some amount of damages will result. They simply do not know what that amount might be.
Compliance and Risk-Assurance
The fines outlined by the GDPR and other regulatory agencies will certainly help define the failure of non-compliance in specific and quantified monetary terms, but compliance does not equal risk-assurance. All organizations need the ability to align risk with strategy and make decisions based on the need to deliver value while protecting the enterprise.
Until CIOs and CISOs begin measuring and reporting cyber-risk in those same monetary terms, boards will continue to be reluctant to invest in any programs that are designed to reduce cyber-risk with vaguely defined results just as they would be expected to reject proposals for investments in other asset-gambling initiatives where the outcomes cannot be quantified.
Compliance risk is one thing and it is both known and containable. An Equifax or Cap-1-class loss is another thing entirely and defining that sort of risk in terms a board can understand is not just necessary in terms of corporate governance, but it is increasingly essential to corporate and individual survivability in a cyber-era of rapidly expanding unknowns.