How corporate directors can improve cyber readiness

Cybersecurity threats and regulations are evolving rapidly, and executives and corporate boards must work to keep up with the ever-changing business challenge that cyber risk poses. For many of these leaders, keeping up in the coming year might be an uphill battle.

According to a recent Deloitte poll of more than 1,130 senior executives, just 16.7% were highly confident in the effectiveness of their organisation's current plans to manage and respond to cyber risk. For executives in certain industries, the numbers were even lower. Just 14.3% of executives in financial services reported having high confidence in their company's cyber readiness, followed by technology, media, and telecoms (11.8%) and energy and resources (5.6%).

The coming year is certain to bring an increased focus on cyber readiness for most organisations, both from external regulators and internal stakeholders. According to the poll, some of that focus may be at the direction of concerned board members — 62.7% of executives polled said they expect increased requests from board members about the effectiveness of their cybersecurity programmes. Fifty-seven per cent expected increased regulatory scrutiny in the coming year, as well.

"What's top-of-mind for a number of these executives is how vigilant the organisation is to detect cybersecurity events in a timely manner, and can they respond to and recover from these events and demonstrate, from an overall risk management perspective, that you've got a strong handle on addressing those risks," said Gaurav Kumar, a Deloitte Risk and Financial Advisory principal, Deloitte & Touche LLP.

Kumar and other experts offered guidance on how C-suite executives and boards can adapt to the changing cybersecurity landscape and create ready and resilient organisations.

Accept that cyber risk touches all aspects of business: "We have to think of cyber as a ubiquitous part of our business," said Andrew Morrison, Deloitte Risk and Financial Advisory principal, Deloitte & Touche LLP. "It's no longer a separate topic, but is truly core to what makes a business and permeates everything an organisation does."

Recognising this, boards have an opportunity to set the tone at the top and lead the change in the culture of their organisation — one that recognises cyber risk as a priority and supports resources where they're needed, said Thomas Ake, ACMA, CGMA, chief internal controller at Bureau National D'Etudes Techniques et de Developpement in Ivory Coast.

"Boards should take the leadership in raising awareness among staff that the duty of protecting intellectual capital, customer information and other business data is not limited to the IT staff alone," Ake said. "A more proactive security culture should be developed by removing obstacles."

Understand the board's changing role: Historically, the role of a board of directors in managing cyber activities has been ensuring compliance. Increasingly, that is shifting to a more active function.

"Cyber is a core risk issue, and when you view it as a risk issue, you understand that it can be transferred, accepted, and mitigated like other risks, and the board has a role in governing that risk," Morrison said.

"A difference we've seen of late within the boardroom is not just accepting that there is a risk, but acting by doing things like creating risk committees for cyber in addition to the audit committee on the board, or verifying the organisation's cyber playbooks, or participating in cyberwar game simulations," he said. "There are a lot of things boards are doing now that are very action-oriented toward cyber and I think that's a positive step in the maturity of that stewardship of cyber risk."

Address knowledge gaps: A major hurdle for many boards is that they lack members who have expertise in information technology, Morrison said, citing a 2015 NYSE Governance Services and Corporate Board Member magazine survey indicating that 60% of audit committee members worry their boards have members who lack the knowledge and understanding of technology to effectively oversee IT and cyber risk.

Deloitte's Center for Board Effectiveness and the National Association of Corporate Directors are among the numerous groups that have developed cyber-risk educational programmes for boards, Morrison said.

"Board members have the opportunity to get trained at the expense of corporate on issues where they may have some weaknesses," Ake said. "Whether it is acceptable to say that they are not familiar with an issue and not doing anything about it remains to be seen."

"If you think of the traditional composition of a board, it doesn't usually have that lens," he said. "But more and more, we're seeing CIOs being recruited to board positions — people with cyber backgrounds being sought after for the boardroom."

Appointing board members with knowledge and understanding of cyber risk is not just a best practice, Morrison said. Proposed regulation is taking shape that could soon make cybersecurity-experienced board members a requirement. The board of governors of the US Federal Reserve System, the Office of the Comptroller of the Currency in the US Treasury Department, and the US Federal Deposit Insurance Corporation are considering enhanced cyber-risk management standards for large and interconnected entities under their supervision.

Conduct a readiness assessment: Organisations can choose from a number of voluntary frameworks to guide their cyber readiness programme, including the AICPA Cybersecurity Risk Management Reporting Framework, which was introduced in 2017.

"We likely will start to see boards leverage this form of reporting in the future to gear up and get ready for future attestation," Kumar said, "which means starting with readiness first, so they can identify some of the key control gaps they have and then drive some remediation efforts before they jump into the future of attestation."

According to the Deloitte experts, a readiness assessment should include the following steps:

• Performing a risk assessment.
• Defining the company's existing cyber-risk management programme and conducting an IT risk and controls assessment for critical assets and underlying infrastructure.
• Conducting a gap analysis.
• Developing a remediation road map.
• Executing remediation activities to address the control deficiencies that are identified.

Engage independent groups as needed: A number of strategies, including a recent handbook from the National Association of Corporate Directors, encourage board members to also start leveraging independent advisers, such as outside counsel and auditors, to assist in evaluating cyber readiness, Kumar said.

The independent consultant can also be a valuable tool for board members who lack confidence in their understanding of technology issues, Ake said.

"Even though they are not sure about their level of understanding on the issue before making an informed decision, they still have the option to bring in external auditors or consultants if they feel that the corporate has a shortfall internally," Ake said.

— Samiha Khanna is a US-based freelance writer. To comment on this article or to suggest an idea for another article, contact Sabine Vollmer, an FM magazine senior editor, at Sabine.Vollmer@aicpa-cima.com.