How to Keep the Board Aligned and Invested in Your Cyber Security
Cyber risk ten years ago looks nothing like cyber risk today. In that same vein, cyber risk ten months ago looks nothing like cyber risk today.
With technology ever-changing, and more and more companies incorporating these advancements into day-to-day operations, “every company today has become a tech company,” said Tom Mackey, risk management consultant, EPIC Insurance Brokers & Consultants.
Some may argue they’re not, but Mackey said most companies have some type of technological element to their business — from electronic payment schedules to electronic files. Even email is an open door for cyber attackers. “Cyber security is a company-wide issue; not just an IT issue,” he said.
“There’s a belief tech will solve our problems,” added Shawn Ram, head of insurance, Coalition Inc. “But with tech comes risk and security concerns.”
It’s no wonder, then, that there’s a growing interest in incorporating the board in cyber conversations. As cyber crimes grow in sophistication and data privacy regulations like GDPR come into play, company directors will undoubtedly be held liable for cyber breaches that compromise customer data and erode shareholder value. Just look at NotPetya and the aftermath of that malware attack.
“The standard of care goes beyond ignorance. ‘I didn’t understand’ is no longer a valid reason,” Ram said.
Boards are likely to be held accountable if they don’t proactively combat their companies’ cyber risks. The problem, however, is that “generally, risk management understands the role and understands the objectives [of the board], but struggles with how to communicate upward,” said Ram.
So what can be done?
Knowing What to Ask
First, while a board should understand its cyber vulnerabilities, that doesn’t mean the board has to be the most up-to-date on every aspect of cyber exposure. Cyber security is a technical field; having a universal language on cyber is important.
“Boards don’t need to be experts. But they need to know the right questions to ask,” said Evan Fenaroli, cyber product manager, Philadelphia Insurance.
“In evaluating cyber, the board should have an understanding of the company’s digital assets. If you don’t know what your assets are, you won’t know what to do.”
Ram added that assets used to be considered tangible things— like machinery— “today it’s intellectual property. Digital assets.” If the board isn’t thinking about its data like it’s an asset, it’s going to face scrutiny.
Here’s where risk management can shine: “Establish metrics around cyber security. Establish how to quantify cyber risks within your organization,” which includes knowing, finding, and proposing ways to ensure regulatory compliance, he said.
The more familiar with what the technological infrastructure is, the more likely the board is to understand the technological exposures.
Dan Frusciano, vice president of cyber for Ironshore Professional Lines, added: “The more knowledge from the top down in cyber, the better.”
He reiterated that a board doesn’t need to know every kind of cyber risk and cover, “but they should know if their organization can be targeted and why they might be. From there, they have to figure out the best way to protect the company,” he said.
“Every company today has become a tech company … cyber security is a company-wide issue; not just an IT issue.” — Tom Mackey, risk management consultant, EPIC
To do just that, all committees and the board need to start with the right information, EPIC’s Mackey explained. “Where are we exposed and what can we put in place to handle those exposures?
“You could hire someone to develop a program that may sit on your shelf for a year — it’s a check in the box, but that’s not a true solution,” Mackey said.
Instead, building a team can be the best proactive step to effectively communicate cyber risk.
Building the Best Cyber Team
But who should be included on that team? The board and the risk management department are no brainers: “Risk management in general should be central to the conversation. Those are the people involved in buying insurance,” said Fenaroli.
“Communicating the actual threat has become easier. Five years ago, you would hear that it was an IT issue. But I think it’s been made clear in the news and through other organizations that cyber can be debilitating.”
“Board members are realizing this risk is there and they want to talk about it,” Brendan Goodwin, regional cyber director-Northeast, Gallagher, added. He said that in addition to risk management, “every member of your executive committee and your IT members” should be included on the cyber team.
“The relationship between the CIO and board is critical,” said Ram.
Others agreed; Fenaroli went a step further and said that there should be a definitive difference between a company’s technology officer and its information security officer, because each focuses on different avenues of cyber.
Additionally, the following should be a part of the cyber team:
C-Suite – “The board, the whole C-suite, should be involved,” said Frusciano. “Those are your decision makers.”
The Legal Team – “They know the regulatory environment and what’s going on,” said Ram. “The board needs to have an understanding of where they have an impact on regulations.”
Human Resources – Almost acting as an extension of legal, HR keeps employees up-to-date on cyber policies. Ram said, “Legal will oftentimes bring in HR, which then is instrumental in training cyber security.”
Operations – It’s good to have someone from the logistics side who understands the impact of a cyber attack.
Your Broker – “The broker’s role should be highly integral to the board to manage this risk,” said Mackey. He suggested the broker be a part of the cyber security planning phase so that they may be able to introduce the company into the insurance market and explain exactly what their needs are.
“The broker should play a prominent role. They see how [their client’s] peers address cyber security and can determine best practices. They should be at the discussion table,” added Goodwin.
“In a way, this whole team is risk management. Everyone is playing a risk management role,” Ram said.
Defining the Risks and Staying Proactive
“Scrutiny can come from all angles,” said Fenaroli. He added that any breach could be scrutinized no matter the size or type of company. Class actions, he said, are not unique to publicly traded companies; he’s seen nonprofits and private companies fall victim to a cyber breach’s repercussions.
“From a cyber threat perspective, it’s common to think at the high, nation-state level. But many smaller threats exist below,” said Ram.
That could be anything from spearphishing/email phishing scams, data breaches, patch management failures, a compromise of login credentials, host service inequalities and more.
All these cyber incidents can lead to D&O claims, scrutiny upon the board having “appropriate” mitigation strategies in place or regulatory matters in hand, continued Ram. Technology is driving sales, supply chains, HR — “Information security needs to be at a level that goes beyond the CEO, because of how integrated technology is in companies.”
“Depending on the type of company you are, you can lose the faith of your customers. Regulatory fines are a monetary concern, as well,” said Frusciano.
And taking a reputational hit may also affect the company’s ability to attract the best talent, suppliers and investors.
“More and more brokers are coming out with assessments on how to work with the IT team,” continued Frusciano.
One strategy experts agreed is a great educational tool for every cyber team was table-top exercises.
“They can help see any holes in the [cyber breach] plan,” said Gallagher’s Goodwin. “It’s the hands-on approach to see if a risk team and its company’s executives are prepared to take the right steps.” &