A recent
Accenture report finds that as the challenges of cybersecurity continue to
rapidly change, increasing in impact and complexity, the cost of resolving cyberattacks
is also on the rise. In fact, in 2018, the average cost of cybercrimes on
affected companies increased by 12 percent from the year before, reaching $13
million per company. As these mutating threats grow in volume, sophistication,
and scope, companies and their boards will be forced to play catch-up with
threat actors constantly adapting their cybersecurity defenses.

Admiral James Stavridis, former Allied Commander of NATO, has been consistently beating the drum for enhanced cyberprotection for years, and remains concerned about the varied risks originating from cyberbreaches. Stavridis recently joined NACD to share his insights into board governance of this ever growing threat. He’s currently operating executive of the Carlyle Group, chair of the board of counselors of McLarty Global Associates, and chair of the board of the US Naval Institute. He is also a monthly columnist for TIME magazine, and chief international security analyst for NBC News. Admiral Stavridis will be a featured speaker at the NACD 2019 Global Board Leaders Summit.

Cyber Risks Present a
Unique Challenge for Our Times

Boards largely recognize the growing significance of cyber risks. The 2018–2019 NACD Public Company Governance Survey finds that roughly 77 percent of directors have reviewed their company’s current approach to securing its most critical data assets against cyberattacks. That said, boards remain concerned about governance of this risk area; according to the same survey, 97 percent of respondents report oversight of cybersecurity as an important area of improvement. And they are right to be concerned, as just half (50%) express confidence that their companies are properly secured against a cyberattack.

Directors’ anxieties over cybersecurity are well-founded, as
this security issue cuts across nearly all dimensions of modern life. From
national security threats to the devices we carry with us, or those found in
our homes, the proliferation of digital connectivity has increased our
vulnerability to these threats. For Admiral Stavridis, it’s important to
disaggregate the types of risk, as each will require unique treatments and strategies
to effectively address. He breaks these cyber risks down into the following:

Criminal
activity. This comprises “for profit activity, which by some estimates may
amount up to one trillion dollars a year; and can include activity such as
stealing an individual’s most private and intimate details from the cloud. This
particular risk presents a massive challenge for most companies today.” Terrorism.
“This is the work of groups whose activities are ideologically-driven and
question the value of specific societal structures. These groups include the
Islamic State, Boko Haram, WikiLeaks, right wing nationalist organizations, [and]
international anarchist organizations.” State-on-state
cyber risk. “There are a lot of shadow national activities, which used to
take the form of espionage, but are quickly turning into shadow wars. Hackers
are infiltrating networks, planting devices, manipulating data, and producing
very real kinetic effects. In this arena, the US and China are the largest
rivals, but certainly not the only relevant ones—other important players
include Russia, North Korea, Iran, Israel, and France.”

Cyber-Risk Expertise
in the Boardroom

In response to these threats, observers are debating the
effectiveness of adding cyber-risk expertise to boards. Congress is getting
involved, with the proposal of a bill that would push publicly traded companies
to include cybersecurity experts on their boards. A separate congressional bill
has also been introduced, which if passed into law, would require public
companies to disclose whether directors are cybersecurity experts. Proponents
of these legislative initiatives believe these would elevate oversight of this
risk in the boardroom. Opponents question how expertise will be determined and
by whom, as well as the effectiveness of a single-purpose director.

Admiral Stavridis falls squarely in the camp advocating for inclusion of this knowledge base in the boardroom, noting, “I do think it’s mandatory that every single firm has at least one cyber expert as a board member. So often, boards are simply not up to speed. [To mitigate against this reality,] some boards bring in a chief information officer, technology officer, or another member from the management team. But there is no substitute for having a peer in the boardroom, who broadly understands cyber, as well as the company’s approach to incorporating this risk calculation into its operations.” 

He also believes in the next couple years, the United States
Securities and Exchange Commission is likely to start mandating this type of
expertise for public company boards. According to the Admiral, “it will
resemble audit, in the sense that this will be a defined skillset, and will
require a committee that focuses on its oversight.” He uses one of his boards,
which established a committee on safety, technology, environment, and
operations, as an example. The board decided to incorporate safety and
operations into the committee’s responsibilities, as that is where much of the
firm’s cybersecurity concerns are concentrated. “It’s an interesting grouping,
but [to meet our company’s specific needs], that’s where we delegate governance
of cyber risk, as well as the technology function,” he explained.

Leading Practices for
Cyber-Risk Oversight

The Admiral believes the future of board oversight of risk
is likely to skew towards cyber risk. His decades of experience, in the public
and private sectors, have given him a unique perspective into these threats, boosting
the legitimacy of his warnings.

This issue is not going away anytime soon. Its impact is
likely to be more acutely felt in the coming years, especially as a growing
number of companies leverage customer data to transform business models and
create value. Effectively addressing this challenge will require an approach
that incorporates not only strategy and risk management, but also legal and
technological expertise. There is no panacea. There are, however, practices and
processes that directors can adopt to mitigate exposure to cyber risks.

The NACD Director’s Handbook on Cyber-Risk Oversight provides practical guidance for boards across company sizes and types. Its five key principles are highlighted below:

Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an information technology issue.Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

Hear Admiral James Stavridis, former Allied Commander of NATO, speak at NACD’s 2019 Global Board Leaders’ Summit, September 21-24, 2019, in Washington, DC. Register by August 31 to save $500!