Boards Look to Boost IT, Data Security Oversight

Corporate directors by now are well aware of the potentially catastrophic legal and regulatory consequences of a cyber-attack or large data breach, but how to effectively address those risks still eludes many boards.

Boards are increasingly interested in obtaining a better understanding of their companies' data privacy and security risks. “Today's boards have become much more sensitive to cyber-security risks and the harm they could cause to a company's reputation and business,” says Vishy Padmanabhan, a partner with consulting firm Bain & Co. and a member of the firm's global information technology practice.

Even as directors are paying more attention to data security and privacy risks, they are less confident in their ability to monitor such risks. A recent board governance survey of nearly 600 directors conducted by NYSE Governance Services and executive search firm Spencer Stuart found that 40 percent of respondents said there was room to improve their knowledge and understanding of IT risk oversight. About the same number said they weren't confident in their ability to monitor how IT risks relate to the execution of the company strategy, and 41 percent expressed a lack of confidence in their ability to monitor the security of sensitive data.

Similarly, in a separate board governance survey conducted by PwC, nearly half of directors surveyed stated that they only “moderately” believe that the company's strategy and IT risk mitigation is sup­ported by a sufficient understand­ing of IT at the board level, while 28 percent said it needs improvement. Only 22 percent agree strongly that management provides them with adequate information for effective oversight.

To address this gap, many boards are looking to beef up IT and data security experience. In the NYSE Governance Services survey, board members ranked IT experience among the top five most important attributes—along with financial experience, industry experience, and CEO experience—in selecting new board members. Meanwhile, 75 percent of 934 public com­pany directors polled by PwC said adding directors with technology or digital media experience is important, up from 68 percent last year.

Data security and privacy is “not an issue that is going away for board members,” says Erica Salmon Byrne, executive vice president of compliance and governance solutions for NYSE Governance Services. “The changes in privacy regulations are going to be so critical over the course of several years that this is certainly something we anticipate to be very important to directors.”

Risk Strategy

A further indication that boards are thinking more about data and privacy risks, 38 percent in the NYSE Governance survey ranked IT strategy among the top five topics directors would choose if setting the agenda for their next board meeting; nearly as many said global business strategy (42 percent).

Like strategic planning, M&A opportunities, and CEO succession, “security must also be a priority topic that must be proactively discussed as part of the overall company strategy and business risk management,” says Syed Ali, a principal at Bain & Co.

The good news is that management's efforts to involve the board more in setting IT strategy is growing in importance. In the PwC study, 77 percent of directors believe their company's IT strategy and risk mitigation approach contributes to, and aligns with, the company's overall strategy.

Challenges Remain

Part of the challenge is getting management to communicate IT risks at a level that the average board member can understand, says Don Keller, a partner in PwC's Center for Board Governance. Many directors that currently serve on boards were born in a pre-digital era, he says, so articulating complex cyber issues to them can pose quite a challenge.

Consider the real-life example of a director who was in attendance at a recent panel discussion on social media and cyber-security risks, who stood up and said, “Pardon my ignorance, but what's a hashtag?”

“The board's involvement in cyber-security should not be intermittent, nor should the engagement only happen in the aftermath of a breach when the company shifts to damage control.”

—Vishy Padmanabhan,

Partner,

Bain & Company

When communicating to the board, it's advisable that the chief compliance officer and chief technology officer work together, says Byrne, “because the best cyber-security plan in the world is only going to be as good as the training that you give to people to implement that plan.”

“A lot of these issues are a result of people failures, not system failures.” Having the opportunity to hear from both the CCO and CTO together helps the board really understand how employees are being educated on the importance of data security and privacy, she says.

Adding to the challenge of that knowledge gap is not only the rate of technological change, but the ever-evolving ways in which cyber-attacks happen.  “Addressing those risks to make sure you are staying ahead and abreast of all those changes is difficult,” says Byrne.

Proactive Measures

“There are a lot of things boards can ask about to enhance their understanding,” says Keller. Data and privacy security experts offer a list of questions that every director should be asking:

Do we have a strategic view and a plan for cyber-security?

Are the business and technology decisions we are making in sync with the risk profile of our business and our technology capabilities?

Are we doing continuous scenario planning and testing to assess our ability to protect or respond appropriately in the event of a breach? What were the results of that testing?

Are we tapping into all possible sources of expertise, including vendors?

How are employees trained to understand and identify data privacy and security risks and to minimize those risks to the company, including their activity on social media?

How frequently do security and compliance audits happen?

Have there been any significant company changes since the cyber-security plan was last updated that warrants another look?

The board is responsible for “looking at the company's cyber-security plan, picking it apart, trying to figure out where the holes and gaps might be, and what the company's plan is to address them,” says Byrne.

MONITORING CYBER RISK

How confident are you in your board's ability to monitor IT/cyber risk with regard to the following:

Source: NYSE.

Cyber insurance is another option boards should consider, says Keller. “If you don't have it, the question should be asked, should you? Or, if you already have it, do you have enough?”

“Boards should also focus on the level of spending on cyber-security relative to their competitors and their industry,” says Keller. “What percent of revenue, or IT budget, is being dedicated to cyber-security?”

“Increasingly, boards are evaluating whether they need a chief information security officer,” says Keller.  Even if they don't have a CISO, the company should have someone in the organization whose job responsibilities involve security, he says. The next question after that, he says, is to whom that individual should report—the chief information officer, the chief financial officer, or the audit committee? 

Addressing data privacy and security matters is not a one-and-done exercise. “The board's involvement in cyber-security should not be intermittent, nor should the engagement only happen in the aftermath of a breach when the company shifts to damage control,” says Padmanabhan. “Instead, a proactive and effective board must become knowledgeable and stay current on this topic, continue to ask questions around risk management, and support the management team in pursuing and investing in appropriate security risk-management capabilities.”