BoardroomDirect®
Update on the current board issues: August 2014

August 2014
  • Print-friendly version
BoardroomDirect®<br><span>Update on the current board issues: August 2014</span>

At a glance

As cybersecurity has risen to the top of many boards’ risk management agendas, there is a more compelling need for clear dialogue between the C-suite and the board.

Changing message and messenger may be a way to improve cybersecurity dialogue

As cybersecurity has risen to the top of many boards’ risk management agendas, there is a more compelling need for clear dialogue between the C-suite and the board.

Some directors report they are frustrated because they are not getting the information they need from the CIO or CISO to appropriately assess the company’s cyber risks, according to Charles Beard, a principal in PwC’s forensics practice. He is a former senior vice president and general manager of cybersecurity at Science Applications International Corp.

“One way to address this issue is to change the message from one focused on the technical aspects of the company’s approach to one focused on oversight of a comprehensive and multi-disciplinary cybersecurity program,” Beard said. He also suggests that the person delivering this program-focused message should be someone who can easily communicate it to the board in contextual risk terms.

Why should a company have such a program? As regulators and plaintiffs in civil lawsuits take increasing interest in companies’ cyber operations and duties, IT budgets reflect a “do-more-with-less” approach, digital devices are proliferating and network access has become pervasive. Effective risk management is required to manage these increased vulnerabilities. A formal comprehensive risk management program acknowledges the reality that companies are inextricably linked to all things digital and that breaches are an increasing threat.

“There are both heightened enterprise cyber risk from external and internal threats and a growing appreciation of the implications of this risk by regulators,” said Sean Joyce, a principal in PwC’s forensics practice who recently retired as Deputy Director of the FBI.

Joyce added that, strategically speaking, he believes a formal cyber governance oversight program:

  • Demonstrates to external stakeholders (e.g. regulators, clients, partners etc.) that the company understands and appropriately manages its cyber activities and related obligations; and
  • Shows the intent to be a good corporate citizen through a program based on a proven and respected corporate governance methodology (e.g. involving oversight, accountability and process) and compliance standards.

Operationally, a comprehensive cyber risk management program:

  • Focuses the company on its potentially significant cybersecurity issues (e.g. data privacy, system vulnerabilities, and internal and/or external threats);
  • Drives a proactive and organized approach to cyber threats; and
  • Permits a rational and prioritized response to regulatory and contractual requirements, and to emerging standards.

The program should include a holistic risk assessment and topical and oversight-driven policies, procedures and protocols, according to Beard. It should be actively managed, and led by a C-suite member with a broad appreciation of corporate goals, strategies and operations. In some cases, this might be the general counsel.

Why the GC? Frequently, significant cyber issues actually or potentially impact third parties and have legal implications. The manner in which these matters are disclosed and managed and resolved often has identifiable business impact, with sales, stock price and reputational consequences. The GC is inevitably at the vortex of these matters and is familiar with the universe of the related regulatory and business issues. Significantly, in terms of surmounting the communications impasse that can exists between the board and the more technically inclined corporate officers such as the CIO or CISO, the GC, through his or her role as corporate secretary or close work with the corporate secretary, is generally more familiar with board processes, needs and priorities. In many cases, that can allow the GC to facilitate the critical expansive cyber dialogue.

[For more information on cybersecurity risk management for the board, directors may want to read the National Association of Corporate Directors’ Handbook on Cyber Risk Oversight, which is featured on the US Department of Homeland Security’s Critical Infrastructure Cyber Community (C3) Voluntary Program website. For further reading on cybersecurity and boards, read BoardroomDirect February 2014 Issue in focus (The latest on cybersecurity).]