Why Board Members Are The New Cyber Champions
Editor’s note: The COVID-19 global pandemic has urged companies around the world to focus their attention on providing for the health and safety of their employees and preparing their organizations for a period of disruption. On top of our regular articles examining the longer-term issues and trends impacting organizations, The One Brief will also bring our readers insights into the current situation.
Making sure your organization is integrating the most effective technology has become a vital, and costly, part of running a business no matter what industry you operate in. Worldwide spending on IT in 2019 was estimated to be $3.7 trillion, according to research firm Gartner.
“At a time when technology has become the heart of so many businesses, cyber security and corporate liability risk are interwoven,” says Stephanie Snyder, commercial strategy leader of Aon Cyber Solutions.
The issue has become even more acute recently as the COVID-19 pandemic has led to more employees working remotely – opening up new opportunities for cyber criminals.
Cyber risks to companies’ bottom lines can be direct (through class actions, fines and investigation costs) and indirect (through reputation damage that can threaten revenue and market share).
Data-breach costs can also put companies’ ratings at risk. A ratings downgrade can shape investors’ perception of a business after a breach and increase its borrowing costs. That can affect an organization’s ability to execute strategic plans – such as mergers and acquisitions.
“Great governance drives great cyber security,” says Eric Friedberg, co-president of Aon Cyber Solutions. “Board leadership is becoming key to driving change. Without support from the company’s highest levels, even the most senior cyber security executive cannot alone implement the enterprise-wide changes that result in materially enhanced security.”
As technology becomes increasingly integral to almost every part of an organization’s operations, the cyber risks confronting corporations grow. At the same time, a growing number of regulations govern how businesses handle and protect data such as the General Data Protection Regulation (GDPR) in the E.U. and the California Consumer Privacy Act (CCPA) in the U.S.
The exposure extends to companies’ boards, which are increasingly liable for cyber security as part of their fiduciary responsibilities.
Data regulations should be seen as an opportunity – rather than as a burden – for companies to continuously ensure that proper controls around data handling are embedded within their culture, according to Snyder.
An Emphasis On Accountability
An important regulatory responsibility that companies face is the prompt disclosure of cyber incidents and cyber risk. The required level of accountability is especially high for public companies. In 2018, the Securities and Exchange Commission (SEC) directed public companies to take “all required actions to inform investors about material cyber security risks and incidents in a timely fashion.”
“Private companies have fewer disclosure and reporting requirements than publicly traded companies have,” observes Chris Rafferty, chief operating officer of Aon’s Financial Services Group.
As the amount cyber risk grows, so does the litigation exposure facing companies and their directors and officers. In 2019, plaintiffs filed a record 428 securities fraud class actions in U.S. courts, including 268 core filings against listed companies and 160 merger and acquisition filings – well above long-term averages.
“The overall litigation exposure for corporate directors and officers is arguably at an all-time high,” says Rafferty.
In the past few years there has been an increase in event-driven litigation– where those “events” include cyber security incidents and attacks. A lengthy lawsuit can affect a company in several ways: high litigation costs can threaten a business’s viability, while litigation risks can threaten M&A activity.
Reputation damage from mishandling data or the response to a cyber attack can also pose a serious threat to both public and private companies.
And, while it might be a rare result, bankruptcy remains a plausible risk associated with serious data breaches.
In 2019 a medical collection agency went bankrupt two weeks after a data breach that it was required to disclose under the federal Health Information Portability and Accountability Act (HIPAA). The company not only lost clients and revenue, but it also faced $400,000 in costs for the breach investigation and $3.8 million to send out notices to seven million affected individuals.
Building A Board Of Cyber Champions
The responsibility for protecting the corporation against cyber risk begins at the top. A report from the Office of Compliance Inspections and Examinations at the SEC said that “effective cyber security programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cyber security risks.”
For companies with mature cyber security programs, the emphasis starts at the board – and cyber security may be a key performance indicator that top executives are reviewed against, according to Rafferty.
Company boards are increasingly seeking members who are well-versed in cyber security. That’s not to say everyone needs to be a cyber security expert, notes Snyder. Rather, it’s about being willing to build core skills, instill basic cyber security awareness across an organization and recognize when outside expertise would be valuable.
A new report details Friedberg’s top ten cyber governance directives for board members:
Even as a board member’s leadership role grows, there is plenty of responsibility to go around. “Today’s expectations around privacy, cyber security and disclosure demand a level of sophistication that’s only possible with an all-hands-on-deck approach to responsibility,” says Snyder.
As Uses Of Technology Grow, So Do The Risks
Companies’ reliance on technology will only continue to amplify, in step with advancing cyber threats and an increasingly litigious environment.
“I expect that cyber security issues will continue to grow,” says Rafferty. “So companies need to redouble their efforts to implement effective cyber security procedures.”