The Case for Adding a Cybersecurity Expert to the Board of Directors
By Jason Kane, Senior, Risk Advisory Services
There is no question about it: a cybersecurity breach is a detriment to any business. Not only is there an operational impact due to downed systems, but there are also financial, legal, regulatory, and reputational impacts. As time goes on and hackers become more advanced, not only will cybersecurity events occur more frequently, they will also be more complicated than ever to recover from.
For this reason, cybersecurity has become a board-level matter. Almost all boards of directors are involved in setting companies’ overall cybersecurity strategy. As the issues related to cybersecurity become more complex and intertwined with the rest of the business, boards should consider the benefits of including an independent cybersecurity expert.
Having a cybersecurity expert on the board of directors will be key to keeping companies moving forward. A 2019 survey showed that more than 50% of Fortune 100 companies have disclosed a board member who is charged with cybersecurity governance, and companies such as Disney and Verizon have already proposed tying executive pay to cybersecurity metrics. Similar to how an audit committee is required to have a financial expert, a cybersecurity expert will have specialized experience with a wide array of technology security issues and will be able to provide insight to assist the board in setting policy and asking the right questions of the Chief Information Security Officer (CISO) and IT management in a crisis situation. Without a cybersecurity expert on the board, fewer than 33% of IT executives believe that boards understand the cybersecurity information presented to them, and less than 40% believe their communications to the board are effective. Having a cybersecurity expert would increase boards’ understanding of cybersecurity topics and would put organizations in a better position to mitigate risk.
With the rise of ESG (environmental, social, governance) awareness, we are heading towards a future with additional reporting requirements for public companies. Not only will major data breaches be public knowledge, but a company’s compliance with security and privacy laws and regulations will be released. As the demand for transparency increases, major cybersecurity initiatives and events may have to be disclosed as well, and more in-depth than simply stating a liability on the balance sheet. In a December 2020 Securities and Exchange Commission (SEC) focus on ESG, it was discussed whether the SEC should consider requiring “forward-looking disclosures, and backward-looking measures, of material ESG risks” in public companies’ annual filings. Public companies are already starting to supplement their annual reports with reports on ESG due to investor demand, and these requirements will trickle down to privately held companies. Having a cybersecurity expert on the board of directors will assist companies handle the increased requirements.
Additionally, as security and privacy laws become more widespread and complex in the push for greater transparency, a cybersecurity expert will be able to provide appropriate oversight on these issues. A recent survey completed by ISACA (Information Systems Audit and Control Association) found that 45% of IT managers were not clear about which cybersecurity regulations their companies are required to comply with. A company required to comply with data privacy regulations such as the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), or to meet other cybersecurity standards such as HIPAA (Health Insurance Portability and Accountability Act), the HITRUST CSF (Health Information Trust Alliance Common Security Framework), or ISO 27001, will benefit from an expert’s opinion on the numerous security and customer data issues intrinsic to the company’s continued viability. Data breaches and other cybersecurity events are widely reported in the news; consumers, investors, and other key stakeholders are taking notice and want to ensure they can digitally trust the companies with which they transact.
As the world moves ever closer to complete digitalization, it is imperative that companies innovate in order to stay apace. The cybersecurity tasks and requirements for boards of directors will continue to increase, and organizations should act decisively to bring on top talent to do the job.