Will 2023 ring in cyber governance reform in the boardroom?
The year 2023 is likely to be the year that cyber challenges and changes consume the corporate boardroom. This prioritization is long overdue.
Despite the sophistication, impact and rapid emergence of cyber risks, corporate governance policies and practices on cyber risk have lagged their reality. But a perfect storm of issues is putting pressure on corporate boards and their directors to adapt their approach to cyber governance.
I interviewed Accenture Securities Managing Director and NACD Board Leadership Fellow Bob Kress on this topic. Here we countdown the top five issues he believes are corporate governance issues in the boardroom in the coming year.
Surprisingly, only coming in at #5 is Kress’ belief that tectonic shifts in the cyber threat landscape could create an ultimatum for corporate directors to think critically about cybersecurity governance reform.
He explains further by saying, “We are at a defining moment in cybersecurity. Geopolitical tensions and conflicts are creating new threat actors, targets, and motivations for cybercrime and disruption. Insider threats are increasing — as they always do during periods of economic instability. Ransomware attacks could continue and likely escalate in frequency and impact. The maturity of the active cyber adversary that every organization faces and the exponential increase in what’s at stake from a business value perspective has created this defining moment. What’s more, systemic cyber risk has introduced an inherent and distributed risk environment that most, if not all, organizations and boards are ill-prepared to handle. The day of reckoning is at hand for corporate directors and their effectiveness in governing these issues.”
There is no doubt that cyber risks have never been greater, and their stakes have never been higher. Cyber risk is unique as an enterprise risk in that an active adversary constantly works to attack the complex digital systems that power business value propositions. This resourceful and intelligent adversary guarantees a volatile risk environment which will only demand more time, attention, and focus from corporate directors.
At #4 on his list, Kress believes that shareholder pressure could force corporate directors to adopt different cyber governance policies and practices. “While director personal liability is always somewhat of a motivation behind director behavior, what’s moving this issue beyond the early boardroom adopters of cyber governance leading practices is the business continuity implications of these risks and the massive financial exposures that come with not being able to function as an organization,” he commented. “Financial risk and particularly the equity risk implications of cyber risk combined with the growing role and influence of institutional investors in America’s boardrooms could increase the pressure and pace on corporate boards for significant cyber governance self-transformation,” he added.
It is worth noting that most public company corporate boards still govern cybersecurity within the responsibilities of their audit committees. This is not a recommended practice by corporate governance industry advocates or associations. Securities Exchange Commission (SEC) leadership has also questioned if audit committee alignment aligns the right skills with the necessary focus needed to effectively govern cyber risk.
Kress noted, “Director cyber skills, the growing impacts of systemic cyber risk, and the emerging practice of implementing a digital and/or cyber committee in the boardroom could form the foundation of cyber governance transformation for many boardrooms.” He added, “These common sense corporate governance steps will protect the interests of all corporate stakeholders, and most importantly in terms of influencing corporate director actions, the interests of institutional investors.”
Next at #3 is the emergence of a new and powerful C-suite influencer in the cyber risk equation – the CFO. “The CFO’s emerging role in cybersecurity is a key driver that advances the economic quantification of cyber risk,” Kress said.
He continued, “More CFO involvement in cybersecurity is being driven by the development of Cyber Risk Quantification or CRQ practices and approaches. Leading boards have recognized that they are largely self-insured for the economic impacts of cyber risk and are starting to do the challenging, but not impossible work of quantifying their cyber risk exposure levels. Compounding their need to do this is the cyber insurance premium rate increases being forced onto them by the cyber insurance industry along with tightening insurance coverages.”
Understanding cyber risk in economic terms is a significant step forward in cybersecurity governance. For accounting purposes, organizations already quantify and recognize expected losses in other areas such as with their doubtful accounts receivables, warranty liabilities, and loan losses. A group of innovative firms focused on CRQ are leading the way in helping organizations understand cyber risk in economic terms. Quantifying the expected uninsured loss exposure related to cyber risk and the need for the CFO to be engaged in this determination will make this a high-priority boardroom issue in the coming year.
The #2 issue is that the boardroom is faced with a new dimension in enterprise risk — systemic cyber risk. Kress commented, “The challenges associated with governing and managing distributed cyber risk can create new dynamics in enterprise and ecosystem risk management.”
Systemic risk is a complex dynamic in enterprise risk that is a symptom of the multidimensional and complex world humankind has been able to create. The backbone of this complex world are the digital systems that power economies and businesses. Almost every organization now exists in a environment of distributed cyber risk. But risk management remains largely focused on the risks inherent within the enterprise.
“While systemic risk as a concept isn’t entirely new, the levels of systemic risk facing most organizations, especially through their digital business system are exponentially greater than they have ever been,” Kress added.
While risk management practices and approaches will need to fundamentally shift and evolve to adapt to this new systemic risk environment, there is some good news with this challenge. The financial industry has been advancing how its sector views and mitigates systemic risk in the capital markets and financial system since the “too big to fail” systemic financial crisis of 2008. Which means there is precedent to learn from. This demonstrates we can get better at understanding and mitigating systemic risks if understood and focused on in the right ways.
New ways of thinking, identifying, managing, and governing systemic cyber risk and its far-reaching business impacts need to make their way into the boardroom to advance the enterprise risk management approach of every corporation. “CIOs and CISOs have a fantastic opportunity to lead on the issue of systemic risk at the C-suite level given how pervasive it is within their complex digital business systems,” Kress added.
Finally, at the top of the list Kress’ #1 issue that corporate boards should address in 2023 deals with the fact that regulators are likely to force boards to do what they could not, or did not want to do to transform their approach to cyber risk and cybersecurity governance.
Kress declared that, “The year 2023 could be the year that cybersecurity and cyber risk regulatory reform finally arrives in the boardroom.”
While regulators have passed significant cybersecurity and data privacy reforms that management teams have had to deal with, there has been very little regulatory reform in corporate governance. However the SEC is set to announce its final SEC cyber rules in the second quarter of 2023 which will likely include very specific boardroom reforms on cybersecurity. Also, New York’s Department of Financial Services has also proposed new rules related in how the boardroom should govern cyber risk.
These governance related regulatory reforms could force corporate boards to address foundational issues such as cyber expertise in the boardroom, what is materiality in cyber risk, cyber disclosure, incident reporting, and the effectiveness of management’s cybersecurity and risk programs, policies, and procedures.
“Regulatory reform that impacts the boardroom and cyber governance could force boards and management teams to work together in new ways to mature their cybersecurity policies and practices. I think this is a positive step forward to strengthen the boardroom as a critical control and high performing part of every organization’s cybersecurity system,” concluded Kress.
In summary, as multiple direct and indirect digital and cyber forces converge, the long overdue reform of digital and cyber risk oversight may be at hand. While cyber risk remains in the headlines in 2023, the new year could put the corporate boardroom front and center in the cybersecurity discussion — and see boardroom transformations that finally catch up to the reality of cyber risk.
