Source: RSM US LLP.   

ARTICLE

In the face of unrelenting pressure from major cybersecurity incidents and regulatory action to mitigate them, enterprises are assessing whether they are doing enough to address the situation. For example, public companies are evaluating responses to new U.S. Securities and Exchange Commission (SEC) rules calling for disclosures regarding cybersecurity strategy, risk management and governance practices. Recent SEC actions are setting off alarm bells throughout the cybersecurity community, causing chief information security officers to worry about personal liability and companies to reassess who to include in their directors and officers policies. Who will be next?

Cybersecurity incidents are unavoidable. However, in many recent high-profile cases, incidents have exposed governance/management weaknesses and disconnects between glowing boilerplate cybersecurity disclosure language and the actual substance of cybersecurity processes. Only after these incidents do companies go to great lengths to revamp their cybersecurity. Why not before? Can this be chalked up to a human tendency not to prepare for the future, or are there other reasons?

Bringing the challenge into perspective

SEC registrants will undoubtedly tighten up and expand their disclosure language now that new SEC disclosure rules have kicked in, but perhaps there are more fundamental problems. Boards can be overwhelmed by the complexity of cybersecurity and the vast array of detailed management presentations addressing compliance, heat maps, penetration testing and the like, and may struggle to understand their context. At the same time, they may also be comforted by management’s actions to deal with cybersecurity and not feel the need to do more. If so, are board members pushing cybersecurity governance out to the management team?

For example, the SEC’s new rules requires the disclosure of details regarding material cybersecurity events within four days. On the surface, this may appear to be a simple governance exercise—but, in fact, it requires management’s deep technical understanding of an organization’s IT environment and the board’s business understanding of the inner workings and context of the systems that constitute the enterprise they govern. To make an effective disclosure decision, the board would need to be able to evaluate questions such as:

  • What is the operational purpose and relative importance of each affected system?
  • How much do these operational systems contribute to our revenue forecast?
  • What are the specific sensitive data elements captured in each system (e.g., intellectual property, customer data), and how many are exposed in the incident?
  • What regulatory fines are associated with the exposure of this sensitive data?

Boards must also consider that cybersecurity incidents are rapidly evolving and the scope of affected systems and data can change over the course of an investigation.

Why it matters

The expression “noses in, fingers out” is meant to stress the board’s responsibility to ask insightful questions, but not to manage the business. However, the reverse is also true. Governance cannot be delegated to the management team. Yet evidence from well-publicized breaches suggest either a lack of governance or its delegation to management. Guidance on cybersecurity governance is available from the National institute of Standards and Technology (NIST), which is in the process of adding a “GOVERN” function to its cybersecurity framework as follows:

“GOVERN addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.”

Board adherence to some form of the GOVERN function is necessary to meet its fiduciary responsibility. For most business risks and challenges, experienced board members are well equipped to ask insightful questions, assess risk and make governance decisions. However, in the past, the complex nature of cybersecurity risk has caused many board members to shy away from cybersecurity and to not devote the time and energy required to fully understand and deal with the issue. This is unsustainable as incidents and regulatory pressures mount.

Adding cybersecurity expertise to the board can be a partial fix for this problem so long as these additions are not viewed as a “check-the-box” solution that relieves the rest of the board from its fiduciary duty. We are only just beginning to see signs of a broader solution wherein the entire board is digging in and devoting the time and energy to understand this systemic risk to their business.

Starting with the right questions

Perhaps boards and C-suites perceive their governance, management and implementation of cybersecurity processes and procedures as adequate. If so, they must be surprised when incidents reveal facts that demonstrate otherwise. By starting with the right questions, boards can better assess their cybersecurity preparedness, primarily from a governance perspective. Here are sample questions board members are asking to make this assessment, broken down across steps to organize, educate and drive culture in an organization.

Organize

Establish the right structure, roles and responsibilities around digital systems and cybersecurity risk.

Key questions to ask

Indications of adequate cybersecurity governance

Is our board adhering to its fiduciary governance responsibility or delegating it to management?

  • Boards approve cybersecurity frameworks, policies, procedures and risk appetites recommended by management. The board directs management to deliver periodic progress updates on how cybersecurity risks are being mitigated, including potential barriers (e.g., funding).
  • The board directly engages outside advisors to evaluate the efficacy of their cybersecurity organization at both the board and management level and to recommend changes accordingly.
  • Ongoing educational programs are established for the board, management and employees to develop a common contextual understanding of cybersecurity and to instill a culture of enterprise-wide cybersecurity responsibility.

Are the board and management properly structured and organized to deal with cybersecurity risk?

  • Management institutes a cybersecurity risk management process that establishes clear authority and responsibility to make operational cybersecurity recommendations and decisions. In upmarket organizations, this authority and responsibility are often delegated to a committee led by a senior executive who reports directly to a C-suite executive.
  • The board follows evolving best practices, and the members, or a separately tasked committee, interact routinely with the digital risk management lead or committee. The board includes members with cybersecurity expertise but does not regard this as a “check-the-box” solution for the fiduciary responsibility of the entire board.

Has the enterprise adopted a robust cybersecurity framework? How does the framework fit into overall enterprise risk management?

  • Management recommends and the board approves a cybersecurity framework. This includes developing and adhering to high-level and detailed policies and procedures approved by the board. Public disclosures of the framework match internal practice of the framework’s policies and procedures.
  • The cybersecurity framework is integrated into the enterprise’s enterprise risk management policy.

What criteria are used to make changes to cybersecurity spending?

  • Management recommends and the board approves changes to cybersecurity spending based on projected growth, IT strategic initiatives (e.g., digital transformation), capital rationing, and the expected return on investment (e.g., through risk mitigation), consistent with IT risk appetite. Capital allocations are made accordingly.

Do cybersecurity policies and procedures include customer, third-party, operational and software interfaces?

  • The board and management recognize that cybersecurity threats to the enterprise go well beyond internal threats and encompass external threats posed by third parties. Policies and procedures are implemented to deal with these relationships.

Educate

Learn how to contextualize cybersecurity risk and take actions based on its impact on the organization’s systemic risk profile.

Key questions to ask

Indications of adequate cybersecurity governance

Do the board and management have a sufficient understanding of the enterprise’s business functions and interactions to contextualize cybersecurity risk?

  • The board and management demonstrate a holistic view of cybersecurity risk as a systemic risk to their enterprise. They develop an understanding of the interaction of system components, both physical and digital, that constitute the “enterprise as a system” (EAS). A commitment is made by the board and management to maintain a continuous education process and reevaluate the EAS periodically and when major changes occur, e.g., acquisitions, divestitures, introduction of new systems, etc.
  • Management is directed to produce a high-level business process map in layperson’s terms (with the help of outside advisors as necessary) describing the EAS as well as the relative importance of the components and how they interact with one another.

Does the board understand risk tolerance, and does it interact with management to develop a risk appetite?

  • Management presents the scope of cybersecurity risks to the board and makes recommendations on how to deal with them. The board makes decisions to 1) mitigate, 2) transfer or 3) accept cybersecurity risk in concert with capital allocation budgets for cybersecurity.

Does the board understand cybersecurity presentations by management, or do presentations include too much tech jargon?

  • The board requires management to present a holistic view of cybersecurity within the enterprise’s governance framework using business risk language understandable to both. Sufficient time is provided for management to present and for the board/risk committee to ask questions.

Drive culture

Stress the importance of shared responsibility for controlling and responding to cybersecurity risks.

Key questions to ask

Indications of adequate cybersecurity governance

How do cybersecurity compliance audits relate to governance?

  • Management sets the expectation that cybersecurity compliance audits have clear linkage to overall corporate governance objectives. The board recognizes that compliance is an important but limited subset of good governance.
  • The board has direct access to all cybersecurity compliance auditors and outside advisors to discuss audit findings and their implications for corporate governance.

What procedures are in place to respond to, report and recover from cybersecurity breaches?

  • Management recommends and the board approves procedures to report, respond to and recover from cybersecurity incidents, and these procedures follow incident response leading practices.
  • The board and management risk committees coordinate to establish procedures to identify and respond to cybersecurity incidents, to make materiality determinations and to report incidents accordingly.

Does the board participate in tabletop exercises to train for responses to cybersecurity incidents?

  • Management recommends subject matter for exercises and the role of the participants, including outside advisors, and explains the rationale for their recommendations to the board.
  • The board questions and approves management’s recommendations and actively participates in both the exercises and post-exercise reviews.

Bringing it together

Boards want to avoid addressing cybersecurity only after an incident. To ensure preparedness they need to transform their perception of cybersecurity governance into reality. Effective cybersecurity requires organizational changes necessary to govern and manage complex digital systems, educational changes to develop a common contextual “systems” understanding among the board and risk leaders, and cultural changes to imprint the importance of shared responsibility for cybersecurity upon the enterprise. The time for an enterprise-wide understanding of systemic cybersecurity risk is today. There are no easy, check-the-box solutions for cybersecurity that can substitute for a comprehensive cybersecurity strategy.


This article was written by Rod Hackman and originally appeared on 2024-03-15.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/cybersecurity-perception-is-reality-until-facts-intervene.html

 

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.