Cyber Risk is ever-present for companies and organisations regardless of size, sector or geography. And quite rightly, Cyber Risk features prominently on the Board Agenda. As Fidelio supports Chairs with regard to Board composition and Boards effectiveness, we see Cyber Risk raising two key questions for Boards:
Does the Board have the requisite skills to provide challenge and oversight of Cyber Risk?
And is the Board asking the questions it needs to ask?
We picked up on these themes at a recent Fidelio Board Breakfast which resulted in an important checklist for Boards, as well as a framework for all Board Members, including from a non-tech background. Fidelio was joined by Bruce Sewell, formerly General Counsel and Executive Committee Member at Apple and now Board Member and Chair of the Audit Committee at Vail Resorts and Board Member at C-3 IoT. Drawing upon his deep experience of these issues, Bruce addressed three key topics:
As Cyber Risk becomes increasingly sophisticated and data regulation becomes draconian, what is the Board response? How do non-technology Board Members gain comfort?
Are Boards alert to the opportunity presented by technology, including AI?
Technology companies work with a speed and agility that eludes other sectors. Do Boards understand what this means for strategy formulation and culture?
It is vital that the Board, including Board Members from non-tech backgrounds, is competent to oversee technology and innovation. It is not the Board’s role to directly troubleshoot, but rather ask the right questions and set the tone from the top. The questions should include the following:
What kind of data do we hold?
Who has access and what is the authentication process?
What are the firewall/encryption systems in place and are these actively monitored?
What are the protocols?
How do we review past attacks and responses?
Who is the Chief Information Security Officer (CISO) and what is their reporting line?
Technology and Cyber Risk: An Issue for All Board Members
Bruce was unequivocal: there has to be a marriage between Board supervision and Executive strategy in cyber policy and reporting. The Board should be careful not to dive too deeply but rather provide oversight. It isn't mandatory to overhaul all systems as this obviously has risks – one need not look far for high-profile examples of difficulty in updating legacy systems. The value of the Chief Information Security Officer (CISO) is to navigate this at a high level and, critically, report into the Board: for example to the Audit Committee Chair in a similar reporting structure to the Head of Internal Audit. As an Audit Committee Chair, Bruce argued that the reporting relationship with the CISO can have a similar function to that of Internal Audit. A wise Audit Committee Chair will ensure that the CISO brings the calibre and experience required, and has the budget needed and the confidence to speak up. While Audit and Risk Committees have an active role to play in Cyber Risk oversight, and their ranks should include Board Members with a firm grasp of technology, Cyber Risk is a subject for the entire Board. Too heavy a reliance on the cyber competence of a few Board Members may diminish the effectiveness of the Board as a whole. Non-technologists must also be involved in cyber-oversight, and training for non-technology Directors is both available and of good quality. There are also a range of valid and important perspectives on technology from a variety of different sources: for example, from the CEO/COO of an IT company, through to legal backgrounds with insight into IP issues. External resources such as consultants can be useful, but are no substitute for appropriate internal competence at both Executive and Board levels.
Technology and Cyber Risk: An Issue for All Board Members
In summary, it is vital that all Boards, regardless of industry, are cyber-aware, and that all Board members are competent to raise key questions about the company’s approach to handling Cyber Risk. Technology tokenism, where one or two Board members are given the technology and cyber brief and the rest of the Board remains ignorant of the issues, is both ineffective and potentially dangerous. High performing Boards are no longer relying on individual Board Members but ensuring that each new Board appointment increases the level of digital and cyber-awareness of the team. This requires thoughtfulness and understanding in defining and then populating the skill matrix.
Similarly, external Board evaluations will be gauging how the Board is placed collectively and individually to frame and understand Cyber Risk. Each Board Member should be making a contribution. Gaps need to be filled and it is critical that the Board’s learning process is ongoing. Cyber Risk is one of the most challenging risk areas for any Board; it deserves one of the most comprehensive, thoughtful and rounded responses.
Comments