The cyber−risk oversight practices performed by boards of directors over the past year were highlighted in the National Association of Corporate Directors (NACD) 2019-2020 Public Company Governance Survey and 2019-2020 Private Company Governance Survey.
Public and private companies can use this information to benchmark their practices, and, according to NACD, to plan priorities, validate risk and oversight practices, identify areas for improvement in governance practices, and compare time allocation for fulfilling key board activities.
Board Cyber−Risk Oversight Practices
Public and private company boards engaged in the same top seven and the bottom cyber−risk oversight practices over the past year, with differences in terms of percentages.
The top practice undertaken by both private and privacy company boards was reviewing the approach to protecting critical data assets against cyberattacks, garnering over 80% of respondents in the public company survey and 80% in the private company survey.
The second practice was communicating with management about types of cyber−risk information the board requires, garnering over 80% of respondents in the public company survey and over 60% in the private company survey.
The third practice was reviewing significant cyber threats and response plans, garnering over 70% of respondents in the public company survey and over 50% in the private company survey.
The fourth practice was reviewing cyberbreach response plans, garnering 70% of respondents in the public company survey and over 50% in the private company survey.
The fifth and sixth practices, assessing employee negligence or misconduct risks and assessing third−party risks, garnered over 60% of respondents in the public company survey and over 40% in the private company survey. The seventh practice, reviewing cyber−insurance coverage, garnered over 50% of respondents in the public company survey and over 40% in the private company survey.
The bottom practice, leveraging external advisors to understand the risk environment, garnered over 40% of respondents in the public company survey and over 30% in the private company survey. Other bottom practices in the private company survey with the same percentages were assigning clearly defined cyber oversight roles to the full board and assessing D&O insurance policies for coverage of directors in the event of a cyberattack.
The eighth through twelfth practices—leveraging internal advisors for in−depth briefings, assigning clearly defined cyber oversight roles to standing committees, discussing the legal implications of a cyberbreach, assigning clearly defined cyber oversight roles to the full board and attending continuing education events on cyber-risk—diverged in the surveys.
The public company survey addresses 13 board cyber−risk oversight practices, but the private company survey addresses 14, including the additional practice of assessing D&O insurance policies for coverage of directors in the event of a cyberattack, in light of the potential for cyber-risks to become director and officer liability risks (for example, director and officer litigation regarding oversight of cyber-risks).
It is interesting to note that the practice of discussing the impact of cybersecurity regulations, which the NACD 2018-2019 Public Company Governance Survey and 2018-2019 Private Company Governance Survey described, was not among the practices described in the surveys, despite significant privacy and cybersecurity regulatory developments during 2019-2020, including without limitation, the California Consumer Privacy Act and the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) going into effect.
Scheduling Cyber-Risk at Least Once a Year on a Board Agenda
Over 60% of public companies scheduled cyber risk at least once on the board agenda over the last year, versus over 40% of private companies. Of these companies, it would be interesting to find out the percentages for which cyber risk was scheduled on the board agenda more frequently than once over the past year, such as on a quarterly basis.
Impact of the Covid-19 Pandemic on Cybersecurity
The private company survey was published May 12, about five months after the public company survey was published in December 2019.
The private company survey alludes to the impact of the Covid-19 pandemic on cybersecurity: “The surge of remote workers in the first quarter of 2020 may expose companies to a new set of risks.” The impact of the Covid-19 pandemic on cybersecurity continues beyond the first quarter of 2020 and affects both public and private companies.
According to the CEO of the Information System Audit and Control Association Inc. (ISACA): “Organizations…moving toward new ways of doing business during this time…can also lead to making compromises that can leave them vulnerable to threats…“[a] surge in the number of remote workers means there is a greater attack surface. Remote work is critically important right now, so security has to be at the forefront along with employee education.”
It will be interesting to watch for the extent to which the NACD’s 2020-2021 public and private company surveys address the impact of the Covid-19 pandemic on cybersecurity, including regarding cyber-risk oversight practices (among other areas), the percentages of public and private companies scheduling cyber-risk at least once and/or more frequently on the board agenda, and whether the practice of discussing the impact of cybersecurity regulations will be addressed.
Finally, whether the protests and government and law enforcement response in 2020 (including following the death of George Floyd) affect cybersecurity remains to be seen.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Melissa Krasnow is a partner at VLP Law Group LLP, Minneapolis, and advises organizations and their directors and senior executives on domestic and cross-border privacy, data security, big data, artificial intelligence, governance, technology transactions and mergers and acquisitions. She is a National Association of Corporate Directors Board Leadership Fellow and an International Association of Privacy Professionals Certified Information Privacy Professional/US (CIPP/US).