There should be little doubt about cybersecurity’s importance in 2016 given the amount of attention the topic has garnered in the past decade. Board directors and top leadership are under pressure from all sides: from federal and state regulators, from business partners seeking to tackle third-party vendor cyber risks, and from shareholders and their class-action lawyers ready to sue the moment a breach is announced.
The SEC’s leadership has been crystal clear about the responsibilities of board directors for proper cybersecurity governance. In his 2015 ABSPE speech, SEC Commissioner Luis A. Aguilar put it very clearly: “In the end, boards have a fiduciary responsibility to ensure that they possess the necessary skills, experience, and judgment to be competent stewards of their companies.”
In 2014, at the New York Stock Exchange on June 10, 2014, Aguilar had also declared that “board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues.”
For those still needing convincing, “Chapter 8: The risks to boards of directors and board member obligations” of the New York Stock Exchange’s book, “Navigating the Digital Age,” contains dire warnings for directors about their obligations and responsibilities for adequate governance of cybersecurity risks.
Board directors have a fiduciary responsibility for cybersecurity. So the question is no longer whether board directors should do something about cyber risks, but instead what should board directors do to not only show that they are governing in this area, but also demonstrate that they are making the most effective decisions to ensure that cybersecurity risks are within acceptable levels.
How are board directors supposed to make the best possible decisions about cyber risks when the information they receive is full of technobabble about attacks, firewalls, malware, and the like? How are board directors to be adequately prepared, to have adequate deliberations, and adequate engagement on cybersecurity issues if the information reported to them doesn’t translate into the business impact of various risks? How can they make use of a subjective top-5 or top-10 list of cyber risks the organization is currently facing, or worse, a laundry list of color-coded controls that belongs in a risk register better suited for auditors?
Are Cyber Risks Adequately Reported?
If oversight of cybersecurity risks has become a strategic business issue, how are board directors supposed to oversee this issue if it isn’t translated and related to areas of the business? As a Deloitte report on risk puts it, “Is my Risk team giving me the confidence I need to make high-stakes decisions?” Based on a recent report by BayDynamics, the reality on the ground is far from that goal. The report found that “only two in five IT and security executives agree or strongly agree that the information they provide to the board contains actionable information. As a result, only 29 percent of respondents believe they get the support they need from their boards.”
A quantitative approach to measuring and reporting cybersecurity risks can empower the board and top management to make well-informed cyber risk decisions. By relying on cyber risk data in financial terms, boards can ensure that they are properly informed and understand cyber risks, and thus ensure that the organization is making cost-effective decisions regarding its handling of cyber risks. In other words, board directors, armed with quantified cyber risk data, can make a strong statement about their oversight of this critical domain.
While this concept is relatively new in the cyber area, financial institutions and insurers have relied on risk quantification for decades. Using “Value at Risk” (VaR) to measure cyber risks is a concept whose time has come. In 2015, the World Economic Forum (WEF) released a special report entitled “Partnering for Cyber Resilience — Towards the Quantification of Cyber Threats.” In the report, the WEF describes that cyber value-at-risk models are “characterized by generic applicability across industries, scalability, ease of interpretation and ability to support executives’ investment and risk management decisions. Building the complete cyber value-at-risk model and having a comprehensive outlook on the organization’s assets under threat, organizations can also make decisions with regard to the appropriate amounts of investments in security systems.”
Similarly, Deloitte, in its CIO Journal section of the Wall Street Journal blog, writes that “cyber value-at-risk ultimately seeks to help them make more informed, confident decisions about their organizations’ risk tolerances and thresholds, cyber security investments, and other risk mitigation and transfer strategies.”
A standard cyber Value at Risk model has since emerged (FAIR). To ensure that board directors are provided with actionable data about cyber risks, organizations should look for a quantified cyber risk solution that can:
- Quantify cyber risk in financial terms
- Understand where cyber risks are concentrated to be able to quickly focus on high risk areas
- Assist the organization in prioritizing areas where cyber risks can be quickly reduced
- Visualize the impact of cybersecurity initiatives (amount of risk reduced/shifted, impact on exposure surface)
- Assess the efficacy of cyber risk programs by comparing to previous time frames (last quarter,versus last year)
Such a platform would provide board directors with the necessary skills, experience, and judgment to be competent stewards of their organizations’ cyber risks. This would also ensure that boards, together with management, can properly prepare for, properly debate, and properly engage on cybersecurity risks. Ultimately, it would give board directors the confidence they need to make the high-stakes cyber risk decisions that are so critical to the business today.