Editor: Why is cybersecurity a current area of focus for NACD?
Bew: Cybersecurity and cyber breaches are no longer emerging issues. The headlines about breaches in both the public and private sectors have put the issue on every organization’s agenda, whether large or small, whatever the industry and whether the organization is public, private or nonprofit.
Cybersecurity is very important to our members as well as to the other key stakeholders in the corporate governance community: 90 percent of the directors who participated in our last NACD public company governance survey reported that they believe that improvement is needed in their board’s understanding of cybersecurity risk. And earlier this year, SEC Commissioner Aguilar said that insuring the adequacy of a company’s cybersecurity protections is a critical part of a board of director’s risk-oversight responsibility. For all of these reasons, it is a key topic for us at NACD.
Editor: NACD recently published a Director’s Handbook on cybersecurity oversight. How do you anticipate directors will use the Handbook?
Bew: We hope that directors and executives will find it to be user-friendly and practical. The Director’s Handbook contains guidance that’s built around five principles for board oversight of cybersecurity issues. The appendices in the Handbook include a number of different tools for boards, such as a list of questions that directors can ask themselves to measure their cyber literacy, as well as questions that they can ask management on different topics related to cyber risk. There are also some sample board-level reports in dashboard format.
As with any governance issue there is no one size that fits all. We encourage boards to adapt their approach to their company’s unique characteristics and circumstances. We hope that directors will take a look at the Handbook, bring it into their boardrooms, and use the materials in it to benchmark their own practices after adapting them as they see fit. The Handbook is not only available to NACD members but also available for public download from our website at http://www.nacdonline.org/Cyber.
Editor: In advising directors about the importance to their companies of protecting themselves against cyber attacks, has NACD recommended adoption by companies on whose boards they serve of the framework proposed by The National Institute of Standards and Technology (NIST)? [For a summary of the NIST framework, see fn 33 to SEC Commissioner Luis Aguilar’s 6/10/14 speech, available at www.sec.gov/News/Speech/Detail/Speech/1370542057946#_ednref26.]
Bew: The NIST framework is a set of suggested standards and procedures related to cybersecurity intended to help organizations develop an enterprise-wide approach to cyber risks, to reducing those risks, and to responding if a cyber breach should occur. NIST’s concept of treating cyber risks as just one of many other important types of enterprise-wide risks is consistent with the principles in our Handbook.
We suggest to directors that a careful review of the NIST framework be considered in the process of developing a company’s cyber-risk defense and response plan. I should add that we are also supportive of the Department of Homeland Security’s voluntary program on cyber-risk protection oversight called the Critical Infrastructure Cyber Community C³ Voluntary Program. We are very honored that the NACD Director’s Handbook is the first private sector resource to be featured on the DHS’s Cyber Voluntary Program Resource Page called “Getting Started for Business.”
Editor: What information about cyber risks should directors expect to receive from management? For example, should directors insist that the board be advised about the steps being taken to foil a cyber attack?
Bew: Many directors with whom we speak believe that their companies have a lot of room for improvement regarding cyber-risk reporting to the board. In our public company governance survey, NACD asked directors to evaluate the quality of information provided to the board by senior management in a number of different areas. Only about 13 percent of directors said that they were very satisfied by the quality of information that they get from management about IT risks, including cyber risk.
We recommend that boards receive regular briefings about cyber issues from management, either at the full board level or the board committee level.
In our Handbook, we suggest a number of different categories of information that directors might want to ask management to include in those briefings. One category is related to situational awareness about cyber threats. This includes questions such as: Who are the most likely intruders? What are our areas of greatest vulnerability? What are the results of recent company penetration tests or external evaluations of the company’s defense system?
A second category of information that boards may want to ask management about is related to how cyber threat management is built into the company’s policies, operation plans, budgets, and its day-to-day operations. Third, directors may also want information on the company’s incident response plan, including procedures for notifying relevant law enforcement authorities. The Handbook includes some specific, suggested questions that board members can ask management in the event that a cyber breach does occur.
Editor: What role do directors expect inside and outside counsel to play in the area of cybersecurity?
Bew: The corporate liability environment with respect to cyber issues is very dynamic and complex. Counsel should advise with respect to the treatment in the minutes of boardroom and board committee discussions of cyber issues. Counsel should be involved in consideration of how cyber issues should be handled and particularly in what the company ought to disclose and to whom in the event of a breach. As with any issue where disclosure standards and regulatory guidance are continuing to evolve on a real time basis, directors expect that counsel will keep them advised of information they need to know on a timely basis.
Editor: Do you anticipate that more boards will be recruiting directors with cybersecurity expertise in the future?
Bew: Like many types of specific director skill sets, this may have a higher priority in some companies than others, based on the industry, the company’s circumstances, and its risk profile. Regardless of company or industry, boards do need to have adequate access to cybersecurity expertise to help inform discussions in the boardroom. There are multiple ways that they can get that expertise. One way would be to recruit a director with that skill set. Other ways include requesting periodic briefings from in-house specialists, outside counsel and external auditors expert in the area, cybersecurity vendors or third-party experts from industry associations like the Internet Security Alliance. Of course, NACD encourages directors to take advantage of our cyber-education programs either on an individual basis or as a full board via our custom in-boardroom programming.
Editor: Is insurance against cyber breaches available?
Bew: Yes. Directors and officers should assure themselves that the company’s D&O policies adequately cover them for cyber liability. The company’s liability policies should be reviewed to assure they adequately cover the company for cyber risks. Our Handbook recommends that boards have a discussion with management about which cyber risks are most appropriate for the company to transfer through different types of insurance products.
Editor: Does the NACD offer cyber-risk education for directors?
Bew: Yes. This is becoming a very important part of our director education programming. What we are increasingly hearing from our membership is that directors want to do everything they can to provide effective oversight in the cybersecurity area recognizing that this is an incredibly complicated, fast-moving and technical area where it’s virtually impossible for any lay person to become a true expert.
With that in mind, NACD is addressing cyber-risk education in a number of different ways. We built a module on cybersecurity into our flagship director education program, Master Class, which we run multiple times a year in different cities around the U.S. We also held our first annual day-long program on cyber risk in June of this year. Based on the feedback that we’ve received thus far, this will become an annual NACD event. Cybersecurity also plays an important part in our annual Board Leadership Conference programming through a variety of panels and break-out sessions. We plan to keep revising all of these programs with the help of a number of experts in the area so they will remain up-to-date.
Information is made available to our members through multiple channels so that it’s as easy as possible for directors to access it. For example, we offer cyber-education content online via webinars and a video series that NACD produced called “IT In the Boardroom.” And we have a daily news digest feature for our members called Director’s Daily that comes to members’ Internet inboxes every morning. That service includes current news that is relevant to a variety of corporate governance and business topics including cybersecurity.
Editor: What steps should a corporation take to cultivate a culture of risk-aware and risk-adjusted decision making?
Bew: At NACD, we are fond of saying that risk management and risk oversight are team sports. Not only the CEO and the board, but all levels of employees across the organization have important roles to play.
A risk-aware culture really starts with building the right foundation. Management and the board need to establish a shared understanding of what drives a company’s success. This includes knowledge of the company’s strategic objectives and the risks associated with achieving those objectives. With that as a foundation, management and the board then need to make sure that there is very strong alignment between that strategy and the company’s priorities, people development systems, incentives and compensation programs, and risk controls. All those dots need to be connected – not just connected on paper, but in the way that people are doing their jobs every day: everyone from the CEO all the way down to the newest hire that just walked in the door.