Asking Questions is not Enough: Three Board Accountabilities for Cyber Security - Quartet Service

Asking Questions is not Enough: Three Board Accountabilities for Cyber Security

board of directors

Asking Questions is not Enough: Three Board Accountabilities for Cyber Security

Asking Questions is not Enough: Three Board Accountabilities for Cyber Security

Cyber threats have been making headlines for more than a decade. No one is immune – leading organizations have been penetrated, taken over, lost data, or had private information stolen. Small and medium-sized enterprises also face frequent attacks. No matter what an organization does, its location, or its size, with a connection to the internet, it is a target.
Not surprisingly, these issues arise around Board tables. Over the past six or seven years, cyber security concerns have consistently been in the list of top Board concerns. For instance, this 2019 study by North Carolina State University ranked cyber security as the 4th most significant risk for Directors, while it had been even higher a year earlier.


Why is this a Board Issue?

The details of data protection and threat response are operational matters: something that a Board would reasonably expect the CEO to manage. Leadership can delegate responsibility for selecting products, engaging solution providers, or enforcing safe behaviours. Cyber security is a Board issue because specific attacks put the continued existence of organizations at stake. The Board has the responsibility to ensure that the organization survives – even more than management does, which is not an exaggeration.
Earlier this year, the parent company of the American Medical Collection Agency filed for bankruptcy protection only a few weeks after reporting a massive data breach. Research indicates that 60% of small and mid-sized businesses experiencing data breaches go out of business within six months of the attack.
Ransomware similarly poses an existential threat to organizations. Ransomware attacks continue to target new sectors, who never realized their vulnerability until it was too late. This past week a coordinated attack shut down the networks of 23 municipalities in Texas. Such attacks have successfully claimed ransoms of hundreds of thousands of dollars in the past. Not many organizations can afford an unanticipated demand of such scope.


Do Boards have accountabilities?

Because ransomware and data breaches can threaten the existence of the organization, cyber security must be on the Board agenda. But what should Directors do?
In the past, the answer may have been simply that Board members need to ask questions. Of course, questions are still a Director’s ultimate tool. But threats that scale so rapidly require more than just reassurance that management is on the right track.
Cyber security aligns directly with three areas where Boards have accountabilities: risk oversight; control and audit; and crisis response.


Risk Oversight

The Board’s first responsibility relates to the strategic management of risk. Directors must ask management to show how cyber threats are catalogued and prioritized in the enterprise risk management structure. This responsibility falls under the Board’s accountability to ensure that a strategic risk management program exists.
For the different categories of cyber threats, management should explain risk assessment, prioritization, information to be used, and how often assessments are updated.
Furthermore, the Board should understand budget allocation against risks – especially those that pose the threat of ending the corporation. Directors need to understand the nature of cyber insurance, and how management is handling the interplay between the cost of prevention, the cost of recovery, and the cost of insurance.
As a best practice, the board should invite the Chief Technology Officer to sit down at least annually and provide an update. Meeting with the CTO without other management present will help ensure that he/she is fully candid about the support they are receiving.


Control and Audit

The second responsibility hangs off the Board’s accountability for control and audit. As with financial controls, the Board must ensure that controls related to security exist, are documented, and tested.
Testing may be carried out as part of a contract with a managed services provider, by independent “white hats,” or by an arms-length internal group. In any of these cases, it is appropriate for the Board to ask the internal audit function to review the testing approach as part of the annual audit plan.
As citizens and governments become more concerned about privacy and data protection, compliance obligations will become more strict. At some point, it may become necessary for organizations to attest to their compliance with security standards. It is logical to assume that the Board will have accountability around any security attestation.


Crisis Response

The Board third’s responsibility falls under their mandate to oversee crisis response. Privacy breaches, in particular, are one of the most common reasons for setting a crisis plan in motion these days.
Before that happens, the Board must ensure that a crisis plan exists. They should be briefed on the plan by management regularly.
The Chair and Board members may have particular roles to play in the case of a privacy crisis. The plan must lay out the circumstances which would lead to Board involvement. The first duty of the Board will be to support the CEO who has to implement a response and win back the market and regulators. Directors may be allocated roles in the latter area. The plan must indicate who speaks for the organization in case of a severe data breach.


The Bottom Line

It is not enough that Directors educate themselves or ask probing questions about cyber security. They must ensure that the organizations they lead take specific steps, or put certain safeguards and frameworks in place.
Boards can meet these responsibilities by providing direction to management or by hiring outside help. In the case of a small organization with an operating board, they may even meet some of these obligations themselves – but delegating the completion of those tasks in no way reduces the accountability of the Board. It is past time that Directors understand and act on their obligations.

Be sure to download our Cyber Security eBook Series for more information on good governance.[/vc_column_text][/vc_column][/vc_row]

chris anstead

Guest Author

Chris Anstead is a Chartered Director, and sits on the Board of the Canadian Training Institute. He has almost 25 years of experience consulting in the areas of strategy, governance, and compliance. He is the President of Red Queen Associates, and formerly was Managing Director of the Directors College.

No Comments

Post a Comment