Over the course of my career I’ve had the privilege to serve on numerous Boards of Directors of both public and private organizations. It’s a great honor to have the shareholders and stakeholders of an organization put trust in you, and fellow board members, to watch out for their interests as the highest stewards of that organization. It’s also an honor that comes with great responsibility because if the Board fails, individual board members can be held personally liable.
That’s why deciding to accept a directorship requires meaningful thought. There’s no failsafe playbook for this decisioning process but elements certainly need to include an evaluation of what the business does and what markets it operates in, whether the management team has shown itself to be competent and trustworthy, and at a practical level, if the company maintains the right type of D&O insurance. Some of these elements might be personal in nature such as whether you support the nature of the business itself, and some are very practical like confidence in management.
I’ve used my own decisioning framework consistently for many years until very recently when it became necessary to add a new and very practical element: the need to understand how the organization understands and manages its cyber risk. It’s an issue that has become too important, and too relevant to the Board, to simply trust as a byproduct of trusting management and believing that the organization probably spends a lot of money and has smart cybersecurity folks.
That’s because events of the last few years have shown that spending a lot of money and having smart cybersecurity folks does not solve the problem. Companies like Maersk, Merck, FedEx, Marriott and others all presumably had seasoned cyber leaders, spent extraordinary amounts of money and thought that their insurance programs were sound, only to look back on major events that cost hundreds of millions of dollars and wonder how they could have gotten everything so wrong. That coupled with the SEC’s 2018 new guidance on how companies should achieve a proactive understanding of their cyber risk, Moody’s announcement that it will start considering cybersecurity in financial ratings, and the recent D&O settlement related to Yahoo’s security breach all combine to definitely embed cybersecurity as a Board of Directors concern.
Therefore as a Board concern and one that speaks specifically to a Board’s fiduciary responsibility, prospective Board members ought to evaluate cybersecurity specifically. But how, given the deeply technical nature of the concern and language that is foreign to most people outside of the cybersecurity discipline?
My advice is to use the following four-part evaluation framework:
Understand the cyber risk of the organization in business terms.
Meaning what type of cyber events could the organization suffer, and what costs and losses would result from those variety of events? Not only does this approach make cyber risk comprehensible to you, but whether the organization can articulate their risk this way is a great initial litmus test on how well they understand it. If the question can’t be answered, that’s a red flag.
Understand how the organization manages its cyber risk.
With the most important component being an understanding of the methodologies or frameworks used to guide the strategy. Does the organization do an annual assessment, fulfill the recommendations and call it a day until the next time around? Or does it use a maturity-based methodology that drives continual understanding, road-mapping, and evolving?
Understand the organization’s recovery ability.
Is the organization prepared to respond to and recover from the variety of events described in step one? Can it pay for the anticipated costs and losses? Is the right insurance portfolio in place, recognizing that for many organizations, insurance for cyber risks requires a combination of insurance types and not just a single “cyber insurance” policy?
Gain confidence with the data behind these components and what drives decision making.
Ideally, you want to gain confidence that the organization has aligned its controls and processes to its greatest areas of risk and is not just plugging holes. That’s the difference between a risk-based approach and compliance approach, the latter being a vastly inferior way to manage the problem (despite necessity in some industries).
A good way to contextualize this all is to imagine yourself at the emergency board meeting called when the organization suffers a major security event and is on the cusp of having to announce it. Do you want the board briefing to sound something along the lines of “We’ve suffered a serious cyber event that we had no idea was possible. We thought we had the right controls in place and we spent a lot of money on a lot of different things but it looks like we missed something obvious. We’re scrambling to find folks that can help and we think we bought the right insurance. We’ll figure all of that out over the next days and weeks.”
Alternately, “We’ve suffered a serious cyber event but one that we’re prepared for because we understood our risk and we can prove that our cybersecurity strategy was operating a very mature level. The damage is far less than it would have been and we’ve now activating the recovery plan designed for this situation. Further, we should have sufficient insurance proceeds to cover the majority of losses. We’re going to be ok.”
The first briefing sadly happens time and time again. The latter is from the type of organization that I’d be proud to serve on the Board of, and that’s why it’s important to consider cybersecurity when evaluating a Board opportunity.