Cybersecurity advice for boards: Pursue growth in an environment of escalating cyberthreats

Kaelyn Barron

In 2023, the cost of cybercrime will surpass $8 trillion. To put this in perspective, cybercrime will cost more than the national GDP of every country in the world except the U.S. and China.

You may be asking: How did we get to this point? Let’s start by looking at a hard truth. Every action you take — from acquiring a new company to launching a new customer portal or hiring a hybrid worker — expands your surface area and adds more entry points for cyberthreats and attacks.

Bad actors are taking advantage of this new reality, as evidenced by recent data:

Retreating in fear is not the right choice. All enterprises have goals for growth, which means expanding digital infrastructures and connecting to more customers, partners and workers worldwide. This makes cybersecurity more than a preventive measure — it’s a core enabler of growth that must be planned, funded and embedded in every department across the enterprise.

In addition to these escalating threats, boards need to be aware of multiple emerging SEC regulations related to cybersecurity, which will require regulated entities to adopt policies and procedures for responding to cyber incidents. Regulations are also tightening worldwide, with the U.K.’s proposed audit reform bill, expanding privacy laws in Australia, and ASEAN regulatory changes that include a focus on cybersecurity for critical infrastructure.

Compliance with these new rules could become a bit complex, as they will likely include information received from third-party institutions and requirements for reporting cyber incidents to both customers and regulators.

Given the importance and ubiquity of cybersecurity, it’s the board’s role to ensure the organization is fully prepared to mitigate threats and respond effectively in the event of a successful attack. This requires a strong strategic plan — a plan that can be led by the CIO or CISO, but must engage leadership from every part of the organization.

While the technical and operational details of a plan should be owned and executed by cybersecurity professionals in the organization, CEOs and board directors need a level of cybersecurity understanding that allows them to approve plans and budgets dedicated to mitigating risk. Leaders from every department need to leverage modern data collection and reporting tools that paint a clear and concise picture for the board.

In addition to regular reporting, here are six key considerations for your board as they work toward consistent growth while mitigating threats:

1. Prioritize your assets

It’s nearly impossible to protect every element of an enterprise. Most organizations have sprawling digital infrastructures that connect workers, customers, business partners, systems and machines.

It’s up to the board to understand the value of assets across the enterprise and prioritize which ones must absolutely be protected. Identifying the “crown jewels” is an important first step that requires a deep understanding of both how the enterprise operates today, and what it will need moving forward.

2. Understand your security infrastructure

Selecting security technologies, deploying a tech stack and monitoring its effectiveness are all responsibilities of CIOs, CISOs and IT teams. But it’s important for the board to understand the strategy behind the technology and the plan for staying resilient in the face of ever-changing hacker technologies and methodologies.

The teams preparing reports for board meetings need modern tools that allow them to collect data from these various systems and turn that raw data into meaningful insights. Threats to the organization are constantly evolving, and directors need real-time insights to ensure they are providing effective guidance.

3. Plan your response to a breach

It’s important for boards to be prepared for successful ransomware attacks and other intrusions, because it’s likely one will occur. Does the organization negotiate with hackers? Pay them? How are communications with shareholders, customers, business partners and media managed? Having a detailed plan is essential.

If an incident occurs, you might not follow the script precisely — but it will provide a necessary guide. A key part of the plan is defining the board’s role in the event of a breach. The tasks of communicating with the most important stakeholders typically falls to the board.

4. Develop detailed recovery plans

How your business recovers from a cyber incident depends in large part on the recovery plans in place. Yet, many executives we've interviewed have yet to test their business recovery plans.

Boards want to know who “owns” business recovery, if there is a planned response and if it has been tested for a cyber incident. Start developing a plan, assigning roles and responsibilities, and testing the plan now in order to minimize the impact of potential incidents.

5. Add a cybersecurity expert to the board

The new SEC regulations will also require some organizations to designate a cyber expert and disclose that person’s cyber credentials.

To be considered an expert, a director will need to have clear cyber credentials, such as a special clearance, experience working for a cybersecurity firm or completion of adequate coursework.

It may be valuable to the board to bring in outside experts, such as cybersecurity forensic firms, outside accounting firms and law firms.

6. Prepare for proxy season

The SEC has required regular and periodic updates on cyber processes and policies. When the proposed SEC regulations pass, this will become even more critical.

When it comes time to do your proxy, it’s advisable to disclose more, rather than less.

For example:

  • Describe exactly how your board oversees cyber risk
  • Identify who presents to the board on cyber matters
  • Provide an overview of your IT and cyber organization
  • Explain the current breach protocol and whether the organization has performed tabletop exercises

Explore IT risk management solutions from Diligent

Cybercriminals deploy best-in-class technology to attack your infrastructure. You need to do the same to protect your enterprise.

Diligent IT Risk Management offers strong protection against costly data breaches, penalties and reputational damage. Organizations around the world use our technology to stay ahead of emerging cyber risks and empower their boards and enterprise leaders to make informed risk decisions.

To learn more, visit Diligent Board Reporting for IT Risk.

Related Insights
Kaelyn Barron
Kaelyn Barron, Senior Specialist at Diligent, has expertise in ESG, environmental law and the intersection of governance with these issues. Her background in international relations allows her to provide unique insights into emerging ESG frameworks and regulations that impact multiple regions.