Source: RSM US LLP.
ARTICLE
In the face of unrelenting pressure from major cybersecurity incidents and regulatory action to mitigate them, enterprises are assessing whether they are doing enough to address the situation. For example, public companies are evaluating responses to new U.S. Securities and Exchange Commission (SEC) rules calling for disclosures regarding cybersecurity strategy, risk management and governance practices. Recent SEC actions are setting off alarm bells throughout the cybersecurity community, causing chief information security officers to worry about personal liability and companies to reassess who to include in their directors and officers policies. Who will be next?
Cybersecurity incidents are unavoidable. However, in many recent high-profile cases, incidents have exposed governance/management weaknesses and disconnects between glowing boilerplate cybersecurity disclosure language and the actual substance of cybersecurity processes. Only after these incidents do companies go to great lengths to revamp their cybersecurity. Why not before? Can this be chalked up to a human tendency not to prepare for the future, or are there other reasons?
Bringing the challenge into perspective
SEC registrants will undoubtedly tighten up and expand their disclosure language now that new SEC disclosure rules have kicked in, but perhaps there are more fundamental problems. Boards can be overwhelmed by the complexity of cybersecurity and the vast array of detailed management presentations addressing compliance, heat maps, penetration testing and the like, and may struggle to understand their context. At the same time, they may also be comforted by management’s actions to deal with cybersecurity and not feel the need to do more. If so, are board members pushing cybersecurity governance out to the management team?
For example, the SEC’s new rules requires the disclosure of details regarding material cybersecurity events within four days. On the surface, this may appear to be a simple governance exercise—but, in fact, it requires management’s deep technical understanding of an organization’s IT environment and the board’s business understanding of the inner workings and context of the systems that constitute the enterprise they govern. To make an effective disclosure decision, the board would need to be able to evaluate questions such as:
- What is the operational purpose and relative importance of each affected system?
- How much do these operational systems contribute to our revenue forecast?
- What are the specific sensitive data elements captured in each system (e.g., intellectual property, customer data), and how many are exposed in the incident?
- What regulatory fines are associated with the exposure of this sensitive data?
Boards must also consider that cybersecurity incidents are rapidly evolving and the scope of affected systems and data can change over the course of an investigation.
Why it matters
The expression “noses in, fingers out” is meant to stress the board’s responsibility to ask insightful questions, but not to manage the business. However, the reverse is also true. Governance cannot be delegated to the management team. Yet evidence from well-publicized breaches suggest either a lack of governance or its delegation to management. Guidance on cybersecurity governance is available from the National institute of Standards and Technology (NIST), which is in the process of adding a “GOVERN” function to its cybersecurity framework as follows:
“GOVERN addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.”
Board adherence to some form of the GOVERN function is necessary to meet its fiduciary responsibility. For most business risks and challenges, experienced board members are well equipped to ask insightful questions, assess risk and make governance decisions. However, in the past, the complex nature of cybersecurity risk has caused many board members to shy away from cybersecurity and to not devote the time and energy required to fully understand and deal with the issue. This is unsustainable as incidents and regulatory pressures mount.
Adding cybersecurity expertise to the board can be a partial fix for this problem so long as these additions are not viewed as a “check-the-box” solution that relieves the rest of the board from its fiduciary duty. We are only just beginning to see signs of a broader solution wherein the entire board is digging in and devoting the time and energy to understand this systemic risk to their business.
Starting with the right questions
Perhaps boards and C-suites perceive their governance, management and implementation of cybersecurity processes and procedures as adequate. If so, they must be surprised when incidents reveal facts that demonstrate otherwise. By starting with the right questions, boards can better assess their cybersecurity preparedness, primarily from a governance perspective. Here are sample questions board members are asking to make this assessment, broken down across steps to organize, educate and drive culture in an organization.
Organize
Establish the right structure, roles and responsibilities around digital systems and cybersecurity risk.
Key questions to ask |
Indications of adequate cybersecurity governance |
Is our board adhering to its fiduciary governance responsibility or delegating it to management? |
|
Are the board and management properly structured and organized to deal with cybersecurity risk? |
|
Has the enterprise adopted a robust cybersecurity framework? How does the framework fit into overall enterprise risk management? |
|
What criteria are used to make changes to cybersecurity spending? |
|
Do cybersecurity policies and procedures include customer, third-party, operational and software interfaces? |
|
Educate
Learn how to contextualize cybersecurity risk and take actions based on its impact on the organization’s systemic risk profile.
Key questions to ask |
Indications of adequate cybersecurity governance |
Do the board and management have a sufficient understanding of the enterprise’s business functions and interactions to contextualize cybersecurity risk? |
|
Does the board understand risk tolerance, and does it interact with management to develop a risk appetite? |
|
Does the board understand cybersecurity presentations by management, or do presentations include too much tech jargon? |
|
Drive culture
Stress the importance of shared responsibility for controlling and responding to cybersecurity risks.
Key questions to ask |
Indications of adequate cybersecurity governance |
How do cybersecurity compliance audits relate to governance? |
|
What procedures are in place to respond to, report and recover from cybersecurity breaches? |
|
Does the board participate in tabletop exercises to train for responses to cybersecurity incidents? |
|
Bringing it together
Boards want to avoid addressing cybersecurity only after an incident. To ensure preparedness they need to transform their perception of cybersecurity governance into reality. Effective cybersecurity requires organizational changes necessary to govern and manage complex digital systems, educational changes to develop a common contextual “systems” understanding among the board and risk leaders, and cultural changes to imprint the importance of shared responsibility for cybersecurity upon the enterprise. The time for an enterprise-wide understanding of systemic cybersecurity risk is today. There are no easy, check-the-box solutions for cybersecurity that can substitute for a comprehensive cybersecurity strategy.
This article was written by Rod Hackman and originally appeared on 2024-03-15.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/cybersecurity-perception-is-reality-until-facts-intervene.html
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.