Corporate boards, in the wake of cyberattacks on software providers SolarWinds Corp. and
The recent hits have forced boards of directors to rethink cybersecurity challenges and their potential ripple effects as companies face mounting legal and reputational risks from costly hacks. The attacks also show how cyber incidents in a connected system can quickly spread to contaminate thousands of companies at once.
“That’s a risk that hackers are exploiting because most companies aren’t paying attention to it,” said Bob Zukis, founder and CEO of the Digital Directors Network, a group that’s building a pool of technology executives that can sit on corporate boards. “It’s new. They don’t know how to approach it.”
But boards that demonstrate they’re acting thoughtfully and proactively to boost cybersecurity could better thwart legal claims, attorneys say.
Scrutiny of board oversight comes as policymakers are also paying more attention to cyber-risk. They are calling for more coordination between the public and private sectors and have floated a new requirement to report breaches to the federal government.
Pressure from within and outside companies to do more about cyber-risks has translated into benchmarking and self-evaluation from executives and the boards they sit on.
“The most important thing a board can do is have directors who are engaged on cyber,” said Sachin Bansal, general counsel of risk rating platform SecurityScorecard. “As boards evaluate their members and consider replacing or adding members to the board, cybersecurity is going to be one criterion they look for.”
Nearly 60% of Fortune 100 companies analyzed by consulting firm EY included cybersecurity as an area of expertise sought on the board or cited in a director biography in 2020. That’s up from about half of boards the prior year, and about 40% in 2018.
While some have called for corporate boards to add cyber experts to their ranks, others argue it’s better if all board members have an understanding of their company’s security profile and potential risks.
“Everyone on the board should be educated on cyber,” said Margot McShane, who co-leads board and CEO advising in the Americas for recruiting firm Russell Reynolds. “I don’t think they have to be expert.”
Directors looking to beef up their cyber knowledge can take training or certification programs from groups like the Digital Directors Network and the National Association of Corporate Directors. A majority of directors, in a survey by the NACD, said they needed to improve their oversight of cybersecurity threats, which were cited as a top business trend for 2021.
Directors are recognizing that the risk is so systemic that it warrants a different approach, according to Friso van der Oord, the association’s research director. “It’s not just affecting one company at a time,” van der Oord said. “It has this cascading domino effect.”
Boards are also turning to cyber consultants. Kelly Bissell, who works with boards to evaluate their cybersecurity and offer advice specific to their business as the head of Accenture Security, said he’s gotten more calls in the past six months than he had in the entire previous year, as hacks and ransomware attacks escalate.
Bissell stressed that boosting cyber literacy isn’t just about directors learning the language of security but ensuring that chief information security officers can explain their work. “We have to ensure the CISO can communicate effectively at the board level, not in bits and bytes,” Bissell said.
But not every risk needs to be understood by the board, said Dave Tyson, a strategic council member of the Private Directors Association’s Cybersecurity Initiative. Learning to prioritize—and how to communicate simply and clearly—is key, he said.
The Private Directors Association, like the NACD, educates potential board members, with a particular focus on raising cybersecurity literacy given recent hacks and growing legal liability concerns, Tyson said.
Boards of directors could face legal liability if they’re seen as failing in their cyber-risk oversight duties or failing to communicate risks.
In the wake of a massive data breach at credit rating firm
“If you look at the post-hack lawsuits, it’s not uncommon for directors to be sued,” said Tom Zych, head of the privacy and cybersecurity and emerging technologies groups at Thompson Hine LLP in Cleveland. Directors must demonstrate that they’ve exercised proper judgment over cybersecurity to thwart such claims, Zych said.
The U.S. Securities and Exchange Commission has issued guidance in this area, recommending in 2018 that companies provide investors with more comprehensive and thoughtful disclosure around cyber-risks. The SEC, which some in the cybersecurity industry say didn’t go far enough at that time to improve disclosures, could face pressure to update its advice in the aftermath of recent hacks.
“It’s forcing companies to understand at a more granular level what some of those cyber-risks and responsibilities are at the board level,” said Reena Bajowala, a partner in Ice Miller LLP’s data security and privacy and information technology practices. “Companies should have comprehensive and thoughtful disclosures around those issues.”