Technology leaders are having to take on new responsibilities for mitigating cybersecurity risk. Of these responsibilities, a key one is advising the corporate board on the status of cybersecurity defenses and informing them of known risks.
To address the broad scope of advising your board, consider the following five factors.
1. Know your responsibility under new SEC guidance.
If you are a technology leader in a public company, regulations require you to discuss and review cybersecurity issues with your board. The SEC continues to provide guidance on the responsibilities to disclose to shareholders and investors about material cybersecurity risks and incidents. In fact, the commission recently said that “the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or likely to face.”
Part of the disclosure requirements is to “provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.”
As an IT leader, you must define your role and responsibility vis-a-vis your board and cybersecurity risk. You should also define your internal policy and procedures for reporting. Whether you report to the board directly or not, your ability to deliver clear, easy-to-understand guidance is imperative to staying compliant with SEC requirements.
2. Think of threats and vulnerability, not technology.
As a technologist, you're probably most comfortable talking about the technical features and benefits of your security solutions -- but that is not what your board is looking for. Your board is looking to assess risk, and it is important to understand how to characterize that risk.
The SEC is expecting risk disclosures to be tailored to your organization. The commission warns against generic disclosures and requires specific information. Potential risk factors include prior incidents, probability of occurrence and magnitude of a possible cybersecurity incident, adequacy of preventative actions, and potential for reputational harm.
When examining risk, list potential threats, and rate them, for example, as defined, credible, potential and minimal.
Threats that are common in your industry, for your company size and in your geographic location would be “defined.” “Minimal” threats are when there is no history of these threats against companies in your industry, of your size or in your particular location. Additionally, come up with your own set of criteria that defines your business as it relates to cybersecurity.
After assessing the external threats, focus internally on your system's vulnerabilities. When determining vulnerability, think about the impact of a particular incident, and rate it from devastating to minimal. Also, think about the likelihood that your particular organization would be a target based on its public profile, which you can rate from very high to low.
3. Define 'tolerable risk' versus 'unacceptable risk.'
You should not be reporting on every potential cybersecurity risk your organization faces. Instead, you need to define what is tolerable and what is unacceptable. Using your ratings on impact and vulnerabilities, you can create a matrix that can be a powerful tool for talking with your board.
In the matrix, the threats with the highest impact that intersect with your organization's highest vulnerabilities would be unacceptable. There may also be second- and third-tier risks that are also unacceptable. Work with your board, management team and technology team to determine at what point a risk is high enough that it should be reported.
4. Consider the financial implications of cybersecurity.
The board must disclose the impact of cybersecurity on the company’s financials. Cybersecurity has financial implications in two ways: the investment required to mitigate risk and the potential loss from an adverse incident.
As the technology leader, it will be up to you to report to your leadership on the specific costs of cybersecurity investments. You should be able to clearly articulate why a particular investment is needed based on the risk it mitigates. You also need to articulate what the potential costs are for a cybersecurity incident. Some potential losses include business loss, reputation loss and legal costs.
Again, it is important to assess the actual risk of this loss. If the amount of loss would be very high but the risk of an incident is extremely low, it would not be appropriate to include the entire potential loss in a disclosure.
5. Make the case for cybersecurity investments.
You will not be able to protect your business from cybersecurity loss without appropriate investments. You also will not get a blank check to buy all of the security solutions you need.
The research and risk analysis on cybersecurity you have done to this point should give you the information you need to present very clear return on investment (ROI) justifications for your cybersecurity investments. Use the time reporting on cybersecurity risk to your board to make the case for your department’s cybersecurity requirements.
Stay Vigilant
Responsibility to report and disclose on cybersecurity will continue to expand. Help yourself better manage it by knowing your organization's disclosure and policy requirements, understanding risk analysis and educating your organization on cybersecurity and its business implications.
