Every company should expect that at some point it will experience a data breach. Whether as a result of hackers, disgruntled employees, or careless acts such as losing an unencrypted phone or laptop, data breaches may subject companies to liability and must be handled with speed and great care. What are the responsibilities of directors in preventing and addressing data breaches?
Without a doubt, directors must be generally aware of the data security risks facing the company and ensure that the company is prepared to manage those risks appropriately and has an incident response plan for a data breach. Unfortunately, it is easier to be reactive than proactive, and most boards of directors are not where they should be when it comes to cybersecurity awareness.
Earlier this year, the Advanced Cyber Security Center (ACSC) issued a report titled “Leveraging Board Governance for Cybersecurity”. The results of the research conducted by ACSC, as well as other research that it reviewed, are sobering. Only 21% of survey respondents felt that their board of directors was in full partnership with the company’s Chief Information Security Officer (CISO) or Chief Information Officer (CIO), and that the board was well-versed in the applicable cyber risks and priorities, informed about the IT and related investments needed to move towards more secure systems, and provided valuable feedback in meetings that include the CISO/CIO. By contrast, 64% of the respondents felt that the board was in the “early stage” or “maturing” phase of such a partnership.
The ACSC report provides findings and recommendations in five key areas:
- The Board’s Strategic Risk Role
- Building Board Cyber Expertise
- Aligning the Board Role and Corporate Structures
- Overseeing Cybersecurity and Digital Transformation Budgets
- Developing Cyber Risk Metrics and Measurement
The report should be required reading for corporate boards, as it is one of the few surveys to address the role of boards of directors in managing cybersecurity risks. When we asked Michael Figueroa, the Executive Director of the ACSC, why the ACSC commissioned this report, he explained:“We hope that this report helps move us towards having a serious community discussion about cyber risk measurement and business ownership. Security teams seem to be inundated with reactionary governance based more on blame and accountability than on the reality that businesses assume and accept risks every day. Cybersecurity risks should be treated similarly. To progress in that more positive and constructive direction, security executives need to get better at building leadership coalitions around security within the business and their boards need to improve their baseline knowledge of cyber risk considerations so that they can help organizations be more strategic in how they make cybersecurity decisions.”That sounds right to us. We are grateful to the ACSC for raising attention to this issue and providing resources, and hope that the report will be helpful to boards of directors of companies of all sizes. We also share six best practices for board members in our prior blog posts, Cybersecurity, Corporate Governance, and Risk Management: Best Practices and Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers.” The bottom line is that each and every board member should make sure that he or she is fully up to speed on the cybersecurity risks faced by the company and understand what the company is doing to effectively manage and respond to those risks.