Growing cybersecurity threats, especially ransomware attacks, and the Securities and Exchange Commission’s (SEC) recent rules have made having a cybersecurity-aware Board of Directors (BOD) a critical business requirement.
Unfortunately, even today not all BODs are equally aware of the importance of cybersecurity in both their own understanding and oversight and the crucial role it plays in reducing risk to business operations. Even when boards have some awareness, it’s not easy for the board and those around them (e.g., CEO, CISO, etc.) to gauge how much expertise the board has in overseeing and managing cybersecurity risks. Some boards might have an overabundance of cybersecurity experience and expertise and others may not even be aware of how much they really do not know. Expecting any board to automatically be up to the challenges posed by cybersecurity risks is likely making an incorrect assumption.
This article addresses some of these issues.
Making the Board of Directors Care
In his book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, KnowBe4’s Perry Carpenter stated, “They may be aware and still not care.” No truer words have ever been written.
In our super busy world full of multiple requirements and distractions, it is often human nature to downplay and ignore proposed risks until they somehow become meaningful or impactful on a personal level. For example, most people do not take the extra time to hover over and evaluate URL links until they have been tricked once or twice by social engineering scammers (or simulated phishing tests). Most companies do not move to multi-factor authentication until after they have suffered an attack that would have been prevented by it.
Most board members are likely aware of cybersecurity risks, but if they have not been at the helm of an organization that has been involved in a damaging cyber attack, the urgency of creating a more resilient cyber infrastructure and culture may not rank as high as other topics that are more accustomed to managing (e.g., revenue issues, debt, etc.) when overseeing an organization.
Some board members do not understand what phishing, ransomware, and patching are. We in the cybersecurity field take for granted that everyone in the world understands these concepts when that is not true. And the newer the cyber threat, the longer it takes to make it to the board level. For example, a recent BOD survey conducted by MIT Sloan CAMS showed that while almost every board is bringing up the issue of artificial intelligence (AI), almost all of the discussion are about how their organization can take advantage of AI in generating additional revenues. None of the discussions of AI at the board level (of the surveyed boards) were about the current and future cybersecurity threats posed by AI.
It is crucial for the entire board to understand the importance of getting a resilient cybersecurity infrastructure and culture. It starts by realizing that many board members may simply not be aware of the involved issues and risks. Not everyone knows the same things. You can help lagging board members care more by sharing potential business risk and legal requirements. Start by explaining how a cybersecurity threat, such as ransomware, could impact the organization financially and reputationally.
Ransomware often interrupts normal operations for days to weeks, often results in confidential data being leaked, and can significantly impact revenues. Although not common, some organizations hit by ransomware have gone out of business or have been significantly weakened in both revenue and reputation. It cannot hurt here to disclose the costs and impacts against other similar organizations in the same industry when they have been hit by a successful cyber breach. You can find those statistics all over the Internet or have your CFO call a friendly previously impacted company to see if they would be willing to share their costs and responses.
Companies falling under SEC control must file an 8-K (item 105) public disclosure of a material cyber incident within four days of determining that the event was material. Here is a good website for tracking previous 8-K 105 disclosures.
Determining the materiality of cybersecurity incidents will be one of the biggest challenges an impacted organization can face. Materiality is a technical accounting term, and determination varies depending on how it is calculated. Officially, accounting professionals (e.g., CPAs, etc.) are told there is no particular amount or percentage that makes an event material or not material.
When in doubt, follow the standard guidance of “Would it matter to a reader of a financial statement?”. In practice, the SEC says the amount involved can be as little as 0.5% - 5% of total assets. It can also be lower or higher. It depends on the organization and event. It can be helpful for the CFO and board to discuss ahead of time what factors are involved in determining materiality, so everyone is not trying to figure it out in the stressful immediate aftermath of a successful cyber attack.
Note: Some organizations, such as Microsoft Corporation, have filled 8-Ks Item 1.05s after cybersecurity events even if the event was predicted NOT to be material to operations. Microsoft did so out of an abundance of caution and in support of its public commitment to be more transparent about cybersecurity attacks against its own infrastructure and people.
New SEC rule 1.06 specifically requires the BOD to have more ownership in cybersecurity resiliency. The new requirements are summarized in the SEC’s final document below:
In particular, the new SEC requirements state, “Registrants must: - Describe the board’s oversight of risks from cybersecurity threats.” And “FPIs must: Describe the board's oversight of risks from cybersecurity threats.” This is legal language attesting to the requirement that BODs must be actively involved in managing and overseeing risks from cybersecurity threats. To put this in context, there are not many specific requirements that a BOD has to attest to, but the SEC made cybersecurity threats one of them. That shows you its importance to the BOD. Someone from the executive team (e.g., CEO, CFO, CISO, etc.) should share the cybersecurity risks to operations and any legal requirements with the BOD.
Evaluating Board Cybersecurity Competency
It is likely that some members of the board already have higher levels of cybersecurity competence, and others will have very little. Each board member should be evaluated for their level of understanding, comfort, and maturity with cybersecurity terminology and issues. Have a trusted member or consultant softly evaluate each board member’s cybersecurity understanding.
You are not looking for a board member to have innate cybersecurity expertise, where they can edit software configuration files and troubleshoot unexplainable hardware issues. You are looking to ensure that they understand the involved issues well enough to be able to adequately understand, manage, and oversee the programs directed toward mitigating cybersecurity risks. Offer appropriate-level educational opportunities to those who want or need them.
For example, discuss ransomware. Most, if not all, board members have likely heard of ransomware. The vast majority of them may even understand that it has to do with encrypting files and disrupting software and hardware. But they may not understand the risks posed by likely data exfiltration (which occurs in over 90% of ransomware incidents), the needed responses to an attack, possibly involved cyber insurance impact, and should be educated enough to decide, right now, ahead of time, if the board will or will not authorize a large ransomware payment if asked. If there is a ransomware response plan, they should be shown it.
Note: If you do not have a ransomware response plan, you should. Here are recommendations for what your ransomware response plan should involve.
Do the same with other common cybersecurity issues, such as social engineering, nation-state attacks, supply chain attacks, insider threats, multi-factor authentication (which they should be using to secure board communications), etc. Each relevant issue should be covered along with basic terminology, discuss the threats and risks and how the organization is currently mitigating them. Discuss gaps and existing future plans.
You may find that you have one or more cybersecurity advocates already on the board, and that is great. At the same time, do not believe that the existence of one or two cybersecurity-knowledgeable board members ends up allowing the rest of the board members to shirk their own responsibilities. You do not want to place the board in a position where if those one or two members left, there would suddenly be no cybersecurity-knowledgeable people left on the board. Make sure all new incoming board members are evaluated as well.
The MIT CAMS BOD survey also discovered that one of the most useful tools to many boards was the execution of a “table-top” exercise, where a major cybersecurity event was practiced so that the board could see and learn how all the organization’s resources came together to recover from a particular simulated cybersecurity event.
The overall goal is to get the right composition and level of competency on the board to allow them to meet their contractual, fiscal, and legal obligations. Ultimately, it is to create a board that helps increase and improve an organization’s efficient preparedness to likely cybersecurity threats and reduces risk.
Note: It cannot hurt to explain the difference between cybersecurity compliance and educing real cybersecurity risk. The former is a checklist exercise with or without risk relevance and the latter truly reduces the likelihood of a successful cybersecurity attack. The board will be tasked with meeting both objectives at the same time.
Ongoing BOD Cybersecurity Activities
The board should be kept informed of ongoing and planned cybersecurity activities, including any recent successful cybersecurity exploits. The board should be advised, and in some cases, be asked to approve large cybersecurity projects. The board should be aware of any new major systems being installed or replaced. The board should be made aware of any consultants used to help provide cybersecurity services or responses to attacks. The board should share any concerns, questions, lessons, or suggestions. New growing trends and concerns in cybersecurity should be shared by either side.
Each board meeting should include a presentation of various cybersecurity metrics, which when evaluated over time, show the improvement of cybersecurity risk mitigation. The proposed metrics should be created and explained by senior leadership (e.g., CEO, CISO, etc.). Examples include:
- Number of attempted and successful cybersecurity incidents
- Number of reported real attempted phishing attacks
- % of employees reporting simulated phishing attacks
- % of people taking required cybersecurity education in the required time
- Patching status of software and firmware critical vulnerabilities
- # of malware programs detected
- Average mean-time-to-detect (dwell time) malware programs or cybersecurity events
- Deployment of MFA
- Number of supply chain/vendor assessments
Whatever metrics make the most sense to measure the success or failure of an organization to reduce cybersecurity risk should be used. Some boards may even request that the metrics be displayed on “dashboards” for more timely updates. Metrics should be evaluated on at least an annual basis to see what might be added or removed to improve the oversight.
The board should also discuss and decide on what language to include in the annual SEC 8-K Item 1.06 reports and any eventual SEC 8-K Item 1.05 reports, if needed.
Recommend that senior management and the board talk to other peers at organizations who appear to do cybersecurity right, to see what they are doing. Perhaps even set up informal meetings with other boards to share how each is dealing with the new cybersecurity requirements.
Ultimately, cybersecurity resiliency is not a nice-to-have, bolt-on anymore. Today, cybersecurity resiliency is business resiliency and how goes cybersecurity risk mitigation so goes the business. All boards need to understand that cybersecurity risk mitigation is a big part of their job, not only financially, but often legally.
Here are other resources recommended by MIT CAMS on related topics: