Editor: Some posit that cybersecurity is a well-established issue of concern for most boards. Do you agree?
Hennes: I agree that it is established but not yet well established. Boards certainly have been attuned to cybersecurity as part of general risk management, but over the last two years, it's become clear that this is an issue for all companies, not just those traditionally considered to be technology driven.
We are still in the early innings of addressing and managing the risks that cybersecurity poses. Increased attention from boards is due to a number of factors, including the growing importance of technology and data to business operations. Also, the negative publicity and harm to the business caused by data breaches at major companies like Target, Home Depot, e-Bay and most recently Sony, among others, is increasing public awareness concerning identity security and driving a lot of the focus in this area.
Editor: We know that reputation is a top-level concern for many companies. Can you parse out some of the related issues?
Hennes: It's fair to say that reputation is on the short list of items for boards to consider. A board’s emphasis on cyber-related issues should be driven by the type of data involved and the importance of that data to the company’s operation. For example, if you are a director of a consumer-facing company, cybersecurity is extraordinarily important. Manufacturing companies will find it less so, but still important because data security poses a number of other risks, including employee security – in the form of an Edward Snowden-type situation – and espionage efforts by competitors and foreign countries. For boards, the risk is not limited to individual credit-card-type security; it’s a much broader issue.
Editor: How deep is the infiltration of cyber risk? I’ve heard that data security risk can reach into board communications themselves.
Hennes: It certainly touches the board level because the traditional method of sending FedEx packets to board members is not as prevalent. Most of the time, boards communicate electronically, by email or through a portal system. Board communications, although not necessarily as important as core corporate data, are as much at risk as any of the company’s sensitive business technology and operational and customer data.
Editor: Beyond the board’s level of awareness, the findings of the 2014-2015 NACD Public Company Governance Survey reflect that boards don’t have a high level of confidence in their ability to oversee cyber risk. What should boards demand of their executives, in terms of the quality and quantity of information, to enable better oversight?
Hennes: The findings are exactly correct. Boards are responsible for oversight and not management, so the question is: how can boards make sure that they are properly overseeing the company’s activities? First, they can treat cybersecurity as they would any other significant enterprise risk, such as business risk and ensuring accurate financial reporting. Again, depending on the type of company, as mentioned earlier, a board should elevate cyber issues to an appropriate level of priority in terms of giving it the attention it deserves.
What does that mean in terms of practicalities? It means that boards should ensure that there is a knowledgeable officer who is responsible for overseeing the company’s cybersecurity and for providing appropriate periodic reporting to the board on best practices and benchmarks against competitors as to how to handle data security. If a board is not confident in its ability to properly discharge its oversight duties and thus not able to have a meaningful discussion with management on the issue, it may need its own consultant on the issue. Depending on the overall importance of the issue to the company and the board’s level of comfort, it may consider looking for a director with expertise in this area, although those directors are hard to find.
A board should focus on risks that are specific and unique to its company in terms of how its data is stored. Most importantly, boards should pay careful attention to planning for crisis management, meaning the company’s response to a cybersecurity event, such as a well-publicized data breach.
Editor: Given all these factors, should boards generally be looking to reconceptualize where oversight responsibilities lie, for instance, with an audit committee versus the full board?
Hennes: I don’t think so, unless the board feels that there are unique issues that warrant doing so. Cybersecurity should be treated like any other important issue, meaning the board must assess its level of comfort, determine what resources to devote to the issue and, in discharging its duty of oversight, appoint an officer, receive his or her reports, and ensure that all signs indicate that management is properly dealing with and prepared for the issues. Generally speaking, I am not in favor of appointing committees for the sake of appointing committees.
Editor: Earlier, you mentioned significant financial and business risks. What are the issues and costs of managing cyber risk?
Hennes: The risks are multiple. First and foremost are reputational harm, harm to customers and core counter-parties, and the harm of business interruption, such as the inability to use networks and servers. Those are the core risks, and we’ve seen their impact on Target and, more recently, on Sony, where we are seeing an impact on the company’s talent, its business relationships, and a need to manage the exposure of all of its internal communications and sensitive contracting data.
And legal risk goes along with that. For example, litigation arising from claims brought by consumers and business parties for data security breaches. Actions have been brought by shareholders, both for securities law violations and against boards for failing to discharge their fiduciary duty to protect the corporation from harm. But legal risks should not drive the analysis here, though they certainly can be costly and distracting. It is the business risk that boards must be attuned to most fundamentally.
Cyber insurance is a relatively new product that folks can explore to see if that is appropriate, from a premium perspective, for companies to manage the financial costs of dealing with this harm. Obviously, insurance covers losses, legal fees and other associated expenses, but it will not help deal with the reputational harm and the other business-related issues; therefore, cyber insurance is worth exploring to see if it will help cover or mitigate costs of a cyber attack and its consequences, but it will not solve the problems caused by a data breach.
Editor: What are your thoughts as to the allocation of resources in this context? Should the focus be on making sure your systems and internal procedures are in place, or do you want to spend money on insurance?
Hennes: Both should be considered, and certainly the former should be adopted. The board has to do its homework, including research as to risks as well as insurance terms and premiums, and then determine an appropriate use of resources as to the possibility of layering a policy on top of other efforts.
Editor: Shifting gears, is guidance available from regulatory agencies?
Hennes: To some degree. Regulators tend to trail development in new areas like cybersecurity, so we are just starting to see what guidance might look like. In 2014, the SEC hosted a roundtable focused exclusively on cybersecurity and has along with FINRA announced a cybersecurity initiative in which they are reviewing the preparedness of companies under their respective jurisdictions. The New York Department of Financial Services has issued guidelines regarding how it will examine the cybersecurity efforts of banks, and in February 2014 the National Institute of Standards and Technology, in accordance with an Executive Order issued by President Obama, released the first version of the Framework for Improving Critical Infrastructure Cybersecurity. This Framework provides standards and best practices to promote the protection of critical infrastructure cybersecurity.
Editor: With guidance coming down the pike, is compliance, for the moment, a fluid issue, especially given a hacker’s ability to stay ahead of the technology curve? How can boards keep their arms around these issues?
Hennes: You’re exactly right in identifying this problem. My expectation is that, at the same moment guidance comes out, hackers and folks looking to breach data security will be as many as three or four steps ahead of that guidance. Constantly evolving areas like this are classic examples of where boards have to exercise their duty of oversight to ensure that management is allocating resources appropriately and is paying sufficient attention to the important issues we’ve been talking about, and not wait for regulatory guidance.
Editor: When a breach occurs and an investigation is underway, do regulatory agencies take into account existing programs and efforts by the company? Is that all part of the picture?
Hennes: Yes. The classic metric for regulators is whether a company ensured that it had proper systems in place to begin with. Was there negligence or gross negligence, or is it the case that, notwithstanding best efforts and appropriate systems, something unforeseen occurred that caused a loss? So, yes, regulators will ask: was this unpreventable or was the company asleep at the switch?
Cybersecurity is not a traditional area of regulation, except we now see states getting involved in probing whether companies have taken sufficient measures to protect consumers as well as enforcement actions by the FTC claiming lax data security is an unfair trade practice.
Editor: In closing, tell us about being a panelist at NACD’s recent Leading Minds of Governance program. I attended the event and was impressed with the discussion and constructive dialogue among attending members.
Hennes: The NACD Leading Minds of Governance program is invaluable because the circles that I travel in tend to be legal in nature and obviously involve interaction with directors and management on these types of issues. The panel on which I participated represented a convergence of the legal, academic, recruiting, shareholder and auditor perspectives. In this context, NACD members can bring their individual perspectives and see how the relevant issues are discussed among the group. I believe it is valuable for directors to hear and see different perspectives all at once, and I know it's valuable for me. Finally, on the specific issue of cybersecurity, your readers may appreciate knowing that they can download NACD’s Directors’ Handbook on Cyber-Risk Oversight. The handbook is featured on the Department of Homeland Security’s website and is an excellent resource.
Published December 22, 2014.