Founder’s Edition, by Joseph Neu
Cybersecurity is now a board-level risk and that might justify a board-level cyber risk committee, NeuGroup members said during our recent Internal Auditors’ Peer Group meeting.
In a discussion about cyber risk and a tangential conversation on separate audit and risk committees, chief audit executive members from tech and other IP-intensive firms highlighted the issue of cybersecurity expertise and experience at the board level. Directors on most audit or risk committees don’t necessarily have this specialty expertise in their backgrounds.
- Don’t wait for the mandate. While other specialty areas of expertise, e.g., finance, have been mandated, cyber risk is too important to leave off the list of desired qualifications for board of director recruiting.
- A dedicated cyber risk committee would help with recruiting. Forming a separate committee for cyber risk would help focus minds on recruiting such directors. It would also elevate the CISO or Infosec head with a board committefe reporting line.
Separating the chief information security officer (CISO) or information security reporting lines from the chief technology officer or IT function was also a takeaway for several members. The reason:
- It’s too easy for the technology group to allocate budget away from cybersecurity-related projects to favor shiny-object, customer-facing or revenue-generating technology spend.
Some firms thus have CISO/InfoSec reporting into the CFO if there is no CRO instead, but:
- A CISO/InfoSec reporting line to the chair of the board’s cyber risk committee would give them that much more autonomy.
If you’re looking for a driver to push this initiative, look no further than the SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures, which came out in February 2018. In the wake of Equifax and other breaches, the SEC had felt an increasing need to issue guidance on disclosures because senior executives were found to have sold company shares during the period when they were aware of an incident, but before it had been publicly disclosed.
Generally, once specific risk factors are called out for disclosure the need for governance of them also rises. The SEC guidance includes the following on board risk oversight:
- Current SEC regulations “require a company to disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure.” How does it look if the board doesn’t have cyber in one of its committee’s mandates?
- Such disclosures “should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.” This is where the reporting line to cyber risk head comes in.
- “To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk.” Yes, cyber risk counts as important!
- “In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” Outlining the program in SEC reporting is one thing, but investors and regulators will also naturally look into the qualifications of the directors charged with cyber risk oversight.
Have you done your due diligence on the need for a cyber risk committee? Hint: Consider rolling privacy into their mandate, too.
Rolling in the Deep (Data)
As a related issue, data and data privacy are other areas that boards are going to need to have some knowledge of, particularly when it comes to requirements for last year’s general data protection regulation – GDPR – and now California’s similar California Consumer Privacy Act (CCPA).
Data collection, storage and management, as just about every corporation is learning (in some cases, the hard way), is critical to success. Like blood it needs to course through the company’s veins in order to stay competitive. However, if there’s a breach and that data starts pouring into cyberspace, it could cost the company dearly. That’s why governments are stepping in.
Both GDPR and CCPA are regulations that require companies to get a handle on their sprawling data troves, make sure they are secure and be ready when someone – the “data subject” – wants their personal data purged from wherever the company holds that data.
As IAPG members learned at their recent meeting, complying with the data subject part isn’t that easy.
- What is personal data? What is personally identifiable information? GDPR thinks of them as two distinct things – but both critically important. And who will manage it all? The DPO of course. If your company doesn’t have a data privacy officer already, then it should be looking for one posthaste.
But even with the best data organizing efforts, total control is elusive. As a presenter at the IAPG meeting pointed out, “100% GDPR compliance is an illusion.”
- That’s because there are “many systems, files, hard copies containing personal data. Think about the human resources archives, systems backup and archives, one-time used Excel work files, etc. There is no company that has a complete and accurate inventory of personal data,” he said.
Nonetheless, companies should be able to show that they are making a solid effort.