In March 2022, the Securities and Exchange Commission (SEC) proposed rule changes requiring public companies to provide enhanced disclosure regarding cybersecurity incidents, risk management and strategy. This proposal is part of a broader regulatory trend: enforcing new accountability standards on the private sector (especially its most senior leaders) regarding the evolving threat of cyberattacks.
This trend is largely driven by emerging sources of geopolitical risk, many of which overlap significantly with cyber risk. High-profile espionage efforts (in addition to internal leaks) underscore the extent to which geopolitical risk is cybersecurity risk in a world characterized by new methods of digital subterfuge.
Amidst this shifting environment, boards must develop a deep understanding of their organization’s cyber risks in order to provide adequate oversight across their cybersecurity and compliance programs. Neglecting this responsibility puts the organization at risk of the reputational damage and financial burden of noncompliance. A proactive approach to risk management is the key to staying compliant and staying ahead of emerging risk.
In a recent panel discussion, "Do Better: Board-Level Accountability in Cybersecurity," at the 2023 RSA Conference, Diligent CEO Brian Stafford, Docusign board member Maggie Wilderotter and former Associate General Counsel (Privacy) at Zoom Greg Silberman covered six ways your board can strengthen its cyber literacy in preparation for a new era of corporate accountability.
1. Seek out external advisers
Your board needs to possess a deep understanding of your company’s current approach to cybersecurity. Moreover, your board should include a set number of members who bring an extensive background in cybersecurity to the table.
Meeting these new cybersecurity standards requires the expertise of external advisers with deep knowledge of cybersecurity. Boards would be well-advised to partner with these advisers for an objective look at their current cyber posture –– and how that posture compares to the ideal for a business in their position.
Of course, you shouldn’t entirely outsource your cyber decision-making to outside experts. It's also important to have the right expertise on the board, as Brian Stafford noted during the panel discussion: "As boards look to add more diverse perspectives and backgrounds, adding professionals with more cyber knowledge would be a huge asset." Furthermore, seek to leverage the expertise of outside experts to build a strong cybersecurity function into your board so that it can continuously evaluate the company’s preparedness at the highest levels.
2. Get independent validation through certification
Similarly, boards should seek independent validation and assurance of their organization’s cyber risk posture through common certifications. Examples include ISO 270001, Common Criteria, SOC 2 and FIPS.
These certifications serve a dual function: in addition to setting your organization up for better cyber governance, they substantiate and quantify the organization’s commitment to security for a commercial audience.
But it’s important to remember here that certifications are not magical talismans. Rather, they are a foundation on which the board (and the company at large) can build a strong cybersecurity strategy that is attuned to their business. It’s crucial that boards understand this distinction and can articulate it appropriately.
3. Quantify cyber exposure to test financial resilience
"Trust but verify." It’s a commonly heard dictum in the field of cybersecurity, and it’s a principle the board should be intimately familiar with.
As boards continue to embrace innovative technology that pushes their business forward (biometrics and AI, for example), they must do so with an understanding of the new risks that innovation brings to the business. Balancing that risk with the utility of novel technology and quantifying the organization’s cyber exposure should be a core concern of top leaders.
Boards should also conduct this analysis with an eye on their customer. If their customer base consists of government employees, or if they support critical infrastructure, or if they work in a highly regulated industry like financial services or healthcare, that should be taken into consideration with regard to potential noncompliance.
4. Take an inventory of changes that happened in the shift to remote work
Among other things, the COVID-19 pandemic permanently changed the structure of work. As remote/hybrid work has become commonplace, boards must address new cyber vulnerabilities.
Analyze how the company’s core processes have changed since the transition to remote work, including an analysis of how key information is stored and communicated. Ask difficult questions: Has the company thoughtfully updated its security practices to address hybrid/remote work? Or is it still leaning on hastily assembled “interim” measures from 2020 that fail to address new working methods?
5. Nail down best practices and escalation protocols
Alongside their CISO and other key decision-makers, boards should put together concrete procedures for sustained cyber readiness. Start with the following:
- Train senior leaders on the fundamentals of cybersecurity in addition to lower-level staff
- Devise a decision matrix that escalates issues to the appropriate level, including prescriptive off-the-shelf procedures for staff to follow
- Leverage a comms escalation strategy to ensure the board isn’t drawn into every incident –– only the significant ones
This framework accomplishes two important goals: it keeps the board in the loop concerning high-level cyber threats and it streamlines communication to keep decision-making in the right hands depending on the size and scope of potential attacks.
6. Foster a culture of cyber resilience
It is imperative that the board leads by example when it comes to strengthening cybersecurity to align with new compliance standards.
Build relationships between the board and internal stakeholders leading cyber efforts within the organization. Loop the board into the promotion of security efforts, and make these efforts visible in internal communications. As Brian Stafford noted during the panel, "You're never going to avoid every cybersecurity threat. But the way you communicate to the board is really important; it needs to be an ongoing conversation as they provide oversight. This is where best practices are important. What kinds of questions will you get asked when presenting risk to your board?"
It's crucial that the board demonstrates strong leadership by providing strong monitoring and oversight. After all, if the board demonstrates a lack of regard for cybersecurity, why should employees and other leaders within the company treat it as a top priority?
Looking for an educational resource for your board? The Diligent Cyber Risk & Strategy Certification teaches corporate directors cyber literacy, empowering them to understand current regulations, emerging risks and best practices. Enroll in this exclusive curriculum led by cyber experts today.