Improving board oversight of cybersecurity

The breaches of consumer data at Target and Neiman Marcus this past holiday season further intensified the spotlight governance experts had already begun to shine on cybersecurity readiness at companies and the adequacy of board oversight of such risks.

The latest Law in the Boardroom research report, released on May 27 by advisory firm FTI Consulting and NYSE Governance Services, provides more insight into how well prepared boards and general counsel believe their companies are to oversee this key aspect of risk management. The report delves into the most pressing governance trends and legal matters identified by 500 US directors and general counsel surveyed earlier this year.

The good news is that data security was the number one response from directors when they were asked about what’s keeping them up at night; and it was the second highest concern for GCs. But a deeper dive reveals some disturbing things.

For instance, the confidence levels among directors and GCs in their company’s plan to respond to a security breach were 43 percent and 45 percent, respectively. But as many as 27 percent of directors and 34 percent of GCs say they aren’t convinced their company is secure and impervious to attacks. And more troubling, the report said, ‘is the fact that fully one-quarter of directors and GCs surveyed believe their company is well shielded against hackers, which brings into question how well cyber and IT risks are really understood by this segment.’
 
It’s telling that while respondents were asked how confident they are that the board has the necessary talent and skill sets to ensure good decisions about IT, no comparable data was provided as to confidence in boards’ skill sets to be able to make sound decisions about cybersecurity. When you look at all the other questions about talent and skill sets of boards and GCs, data security is never mentioned,’ says Jean-Marc Levy, SVP and head of global issuer services, Intercontinental Exchange – NYSE. Cybersecurity doesn’t make the list of the top five things that directors and GCs believe their counterparts are most skilled at, nor the list of topics that GCs are confident directors can address credibly when communicating with shareholders, he adds.

There’s also heightened awareness that directors don’t know which questions regarding cyber risk and security to ask senior management at board meetings, Levy says.

He notes a few best practices that are emerging to rectify this, most importantly the growing recognition that cybersecurity should be a regular agenda topic in board meetings, rather than being addressed only in terms of incidence response or crisis management.

There’s also a greater effort by boards to seek out education to better understand the issue. ‘It’s not just about outside threats,’ he says. ‘It’s also about inside threats. There’s a level of risk associated with cybersecurity that is not necessarily what boards think about intuitively.’ NYSE Governance Services provides such education, as do a number of consultants focused on cyber risk, that show boards how to set the right agenda around IT strategy and security and which questions to ask at board meetings.

In the context of board refreshment, more boards are starting to develop skill matrices used to identify key areas of risk management associated with their business and then draft an inventory of skills and talents that their board needs in order to properly manage those risks. Matching directors’ skill sets against those skills and seeing the gaps on the board ‘makes decision-making in terms of board selection a lot less subjective than before,’ says Levy.

The evaluation processes for directors that the best companies use are focusing more on these skills and risk inventories. ‘To an increasing extent, I think this will lead to significant changes in board composition over the next several years,’ says Levy.