Corporate boards are facing mounting pressure concerning their oversight of data security and privacy risks. Regulatory guidance, emerging regulatory requirements, fines, and lawsuits combined with technological advances and changing business processes are shaping a new and evolving standard of care with exponentially increasing exposures for today’s directors and their organizations. Boards now find themselves front and center when it comes to dealing with these difficult issues, which dramatically increases their need for effective reporting from management and other subject matter experts.
While general awareness of cyber risks among corporate boards is increasing, even the most motivated and knowledgeable directors cannot effectively fulfill their duties without receiving appropriate data about the organization’s risk profile. Unfortunately, however, there appears to be a disconnect between management and boards when it comes to cyber risk reporting. According to a recent survey, 45% of risk and technology executives said they provide reports to board members on cyber investment initiatives, while only 18% of board members said they receive such information. Another survey reports that 63% of directors say they’re not very comfortable that their company is providing the board with adequate cybersecurity metrics. Twenty-two percent of directors were either dissatisfied or very dissatisfied with the quality of the reporting they receive from management, according to a new National Association of Corporate Directors (NACD) survey. And a shocking 91% of board members of the most vulnerable companies responding to another survey revealed that they are unable to interpret a cyber security report. Clearly, improvements are needed.
In order for directors to effectively discharge their duty of active, informed, and engaged oversight, the information they receive must be relevant, understandable, reliable, and objective. Here are three tips to assist in that regard.
- Utilize a Formal and Consistent Reporting Framework
Ascertain the key information categories that are relevant to the enterprise and package them for the board in a formal, consistent manner. Consider using a dashboard customized to the specific needs of the business to provide a consistent, over-time reporting methodology that allows board members to easily see where the enterprise is improving or falling behind. Avoid tech-speak and jargon. While directors usually have outstanding operational and financial acumen, they may not be well equipped to appreciate the significance of information buried in an overly technical presentation.
2. Adopt a Data-Driven Reporting Strategy
Utilize measurable, verifiable, and repeatable metrics that are tied to the organization’s overall business strategy and risk tolerance. Although anecdotes can add color to a presentation, data-driven reporting with economically-focused results is actionable and enables boards to make better decisions. Examples of useful metrics for board reporting are:
- Talent strategy. Report on the number of employees, both in IT and business functions, responsible for cyber security and privacy; number of employees with relevant security and privacy credentials; training program metrics; security and privacy-related disciplinary actions for employees at all levels.
- Financial. The percentage of information security spend versus the total IT budget; global financial loss tied to cyber/privacy events; value of data assets; value of potential loss, including reputational and shareholder impacts; regulatory compliance costs; ROI on security controls.
- Information Security. Number and type of incidents; number of viruses blocked; time to detect and remediate incidents; associated costs, including “hidden” costs, such as downtime related to a malware incident, and any related opportunity costs; number of incidents reported to the media; probability of an incident.
- Benchmarking. Information security and privacy spend compared with peer companies or industry; independent cybersecurity security ratings; information security maturity level tied to NIST or a similar framework.
3. Get External Validation
According to the NACD Handbook on Cyber-Risk Oversight, boards should have adequate access to cyber expertise by recruiting knowledgeable board members and/or seeking independent and objective outside experts. Utilization of experts helps boards ensure that they’re getting complete and unbiased information. Since fear of retribution might discourage some internal resources from fully reporting negative security and privacy information, validation by outside resources can give boards an increased level of comfort that their decisions are sound and based on objectively reliable information.