Board members: Look at cybersecurity metrics

By François Gratiolet
|
Even as companies increase their investments in cybersecurity, cyber-attacks remain popular in terms of frequency, business impacts and visibility. Senior executives are becoming more and more anxious expecting not to be in the headlines.

Non-effective cybersecurity may even jeopardize members of board of directors. For instance, during these last five years, shareholders in the U.S. have initiated litigation against directors of Target, Wyndham Worldwide, TJX Companies, and Heartland Payment Systems. Indeed, a data breach cost Target 40% of its profit of one quarter in 2014. As a consequence, the CEO was dismissed. Shareholders of Target urged to oust seven of Target’s ten directors for “not doing enough to ensure Target’s systems were fortified against security threats” and for “failure to provide sufficient risk oversight” over cybersecurity.

Most recently, the summer 2017 has been overwelmed by data breaches. Large organisations such as Saint-Gobain, Renault, FedEx, Maersk, National Health System in the UK, Deutsche Bahn, Telefonica each faced +100M€ of damages. Equifax lost more than 5B$ in market cap in 2 days, the Equifax CEO, CIO and CISO quitted the company.

Because comprehensive European regulations such as GDPR and NIS directive will be effective in May 2018 with fines up to 4% of global turnover, we can probably assume that it will also jeopardize board members in Europe.

Another risk that boards of directors face is « activists » shareholders. They can make alliance to challenge re-elections of directors when it is perceived that they did not do enough to prevent a cyber-attack. Indeed, on behalf of shareholders, the role of the board of directors is all about governance, i.e. to control and oversight business strategy related decisions and to manage risks efficiently.

According to the New York Stock Exchange’s definitive cybersecurity guide (October 2015), boards of directors mainly fail:

  • to implement and monitor effective cybersecurity programs;
  • to identity and protect company assets and business by recklessly disregarding cyber-attack risks and ignoring red flags;
  • to implement and maintain internal controls to protect customers’ or employees’ personal or financial information;
  • to take reasonable steps to notify individuals in a timely fashion that corporations’ information security systems had been breached.

Because cybersecurity is becoming a genuine business risk, it needs to be addressed with a strong and professional risk management approach. Early January 2017, the World Economic Forum advocates to leverage cyber resilience principles and tools for boards.

Indeed, unlike any other business disciplines (sales, marketing, finance, etc.), cybersecurity suffers from a lack of objective data points and KPIs.

In October 2017, E*TRADE Board Member, James Lam, stated to Forbes that he would like to see more cyber risk metrics and analyses, including expert commentary from the CIO and CISO, on the threat environment, risk exposures against risk tolerance levels, and effectiveness of key controls” and that “he would also like to see assurance metrics on overall program effectiveness and early-warning signals on future threats.

Therefore, board members should receive from the CIO and |CISO| periodic cyber risks updates through objective metrics, and should also have access to external cyber services with appropriate expertise and experience to rely on for taking decisions about what to do (or not) to manage cyber risks.

It will enable board members to stay involved in their corporation’s cybersecurity program and to engage themselves in a higher level of support with the risks associated.

Because board members will be more involved, cybersecurity will be promoted, and senior management, middle management and finally all employees will be engaged.

As a whole, it will improve the overall resilience of corporations, and we can expect that it will bring more value to shareholders, which will better protect board members from « activists » shareholders.