Getting the Board Ready for the Future of Cyber
On October 15, our members and guests gathered to hear a panel of experts discuss board preparedness and the future of cyber risk. Our distinguished panel included Christine Edwards, partner at Winston & Strawn LLP; Christopher Hetner, managing director for Marsh Risk Consulting’s Cyber Risk Consulting; and Donna Zarcone, president and chief executive officer of The Economic Club of Chicago. The session was expertly moderated by Kevin Richards, Marsh Risk Consulting’s Global Head of Cyber Risk Consulting.
Kevin Richards opened the discussion highlighting the alarming fact that while corporations have invested a record $125 to $130 billion annually on products, consultants and solutions to protect enterprises from cyber threats, it is estimated a staggering $4 trillion is lost annually as a result of cyber issues. Even as companies spent record amounts on investments, their confidence in managing the cyber risk is waning.
Current Cyber Threat is Accelerating
The FBI is warning corporations that their number one concern is “Economic Espionage” and the Bureau is conducting outreach to communicate who the enemies are and what they are trying to accomplish. Seventy percent of the cyber threat is currently at the corporate level and it’s accelerating. Enemies are becoming more sophisticated and they are pairing up to increase their level of attacks.
Recommendations for Management Teams
Recognizing that this is a systemic problem, corporations have to be vigilant and protect both external (customers, shareholders, suppliers) and internal (employees) constituents. The panel referred to the ‘pain points’ that a cyberattack could inflict– the potential loss to intellectual property, revenue, reputation or brand. To get smarter on defense, management needs to have regular discussions with the Chief Information Security Officer (CISO), technologists and the risk officers. These discussions will help them to assess the level and type of investments needed to make their organizations more resilient to a cyberattack. Our panel of experts offered the following questions to be considered: what is the right level of spending, what is the talent we need, the right balance, and how do we budget for it? Executive teams should make calculated decisions that can be articulated to the board. It then becomes a team effort, not a singular issue within technology.
Recommendations for Boards of Directors
With daily headlines of huge data breaches, rampant ransomware attacks, and costly regulatory fines as a result of cyber issues, it’s clear there is a need for additional technology expertise in the board room. The panel suggested these options:
1.) Add a director with technology expertise to the board
2.) Invite a technology expert to speak to the full board for an hour presentation
3.) Establish an advisory committee of technologists
To be prepared for the looming possibility of a cyber breach, the panel emphasized the importance of a crisis communications plan. This plan would involve the whole business – management, attorneys, public relations, investor relations, HR - and identify the spokespeople and the timetable for communication. They recommended reviewing examples of past cyber breaches at other corporations, how they were handled, mistakes made and how the communications can be improved. Without an enterprise risk management plan, the experts believe a corporation is flying blind. In addition, the panel recommended a board level tabletop exercise, which is a reviewof the processes and procedures that would be usedin the event a cyber breach occurred.
The experts emphasized that when the topic of cyber security is discussed at the board level, it is essential to take a team approach. They believe the CISO can not stand alone or be put on the defensive. Rather, the board needs to work with the CISO and risk officers to determine how they can best support these roles.
Additional resources the panel also mentioned included: the local FBI branch, trade associations, Electronic Crimes Task Force (invite only), and Infragard.
Recommendations for Individual Directors
The panel encouraged directors to ask meaningful and insightful questions. They have a right to trust but verify, which includes asking who is responsible for independent assessment and benchmarking.
Also, directors should review their cyber liability coverage within their D&O policies and decide if there are other insurance options to consider. Cyber policies may be complex, so it is important to ask questions when the policy is up for renewal.
In addition, the panel recommended the Carnegie Mellon Seminar on cyber security. The detailed information for the seminar can be found on the NACD website.
In summary, in response to the accelerating threat of cyber risks, corporations need to assess the type of investments needed to make themselves more resilient. It’s crucial to be vigilant, but nimble, and leverage the knowledge of the technologists at the corporation. Building an enterprise risk management plan is key, practice the plan, and make improvements to ensure best practices.