The Board of Directors and Defensible Duty of Care

January 1^st is almost upon us, and there are only a few days left to solidify your resolutions for 2020. In our quest to make the start of the New Year as easy as possible, we’re excited to present Part III of our 2020 Resolution Series, with this week’s version focused on the Board of Directors and the resolution of achieving defensible Duty of Care.

Let’s set the stage. You are hopefully on the Board of an organization that emerged from 2019 unscathed—no cybersecurity events for you! That said, you are not sure whether the organization has its act together or just got lucky. You do recall the CISO’s board meeting reports. You felt somewhat confident that the CISO had a handle on the situation, judging by the technical complexity that was discussed. And thankfully, all the heat maps that you saw evidenced a lot more greens than yellows and reds. All of that said, you still may have questioned what it all amounted to.

Communicating Cybersecurity Management to Shareholders

Now let’s foreshadow the annual meeting that you’ll be attending in about two months. You’ll start prepping soon to answer shareholder questions about how the business is performing and the major challenges it faces. Many of the questions will focus on old hat topics like key hires, executive compensation, economic conditions facing the business.

This time around though, what if someone asks a very pointed question like, “Can you please explain the organization’s cybersecurity exposure as it relates to the business and the anticipated impact of a cyber event on the share price?”

As you try to formulate a response, will you be scrambling to translate the meaning of those heatmaps and remediation plans that gave the organization a vague score of 82 out of 100? Will you respond by describing how your organization is green on 52 things, yellow on 10 things, and red on 3 things?

Or will you be prepared with a pointed answer to that question? A response could go like this:

Our cyber exposure is in the range of $100 million to $200 million, which reflects the 5 types of major losses that we could suffer, ranging in estimated value from $1 million to $75 million. Because we’ve done that work and identified the segments of our business that present the greatest risk, we’ve built a cybersecurity program that focuses on protecting those largest exposure segments. Based on industry and peer benchmarks, we’re tracking at least 25% greater than our peers as far as the controls that we have in place to protect those areas of risk. We’re confident that our insurance portfolio is geared towards providing coverage for those exposures and we’d expect full recovery if an event happens. Big picture, if something happens to us, we’ll be able to recover financially with minimal impact on the stock price.

Take it one step further and imagine that your organization has an event. Now it’s time to face the music and explain what happened. Which approach to cybersecurity oversight will set you up for success in delivering on Duty of Care?  Is it the first approach, where your understanding of the cybersecurity posture was limited to colors and number ranges in a vacuum, both of which seemed good at the time but neither of which actually answered the bell with respect to risk potential and business impact?

Passing the “Duty of Care” Test with a Deep Understanding of Cybersecurity Management

You can pass the “Duty of Care” test through the second approach, where you can confidently explain the following:

• The magnitude of risk in financial terms
• Why decisions and trade-offs were made
• A clear line of sight of industry best practices that could prove that your organization was ahead of the pack relative to cybersecurity maturity
• How you were able to secure the right emergency funds and insurance coverage to be able to effectively recover from the losses because you understood the magnitude of exposure

Most critical to delivering on a Director’s Duty of Care responsibility is being reasonably informed.  In the event of a cybersecurity attack, the distinct difference between the two approaches discussed above is that in the first approach, you have abdicated your Duty of Care responsibility by letting technical knowledge sit in a silo. Sure, you were provided technical information, but what did it really mean for the business?  In the latter approach, you have delivered on your Duty of Care responsibility.  Sure, a cybersecurity event happened, but you knew that it could happen, what it could look like, and you had the plan in place to recover.  That’s defensible Duty of Care and an achievable resolution for Boards of Directors in 2020.