Cybersecurity and the Board: 8 Issues Keeping Directors up at Night
Cyber threats continue to be a major concern for companies and boards today. Companies saw 38% more detected security incidents in 2015, and the average total financial loss because of those incidents was $2.5 million. It’s no surprise, then, that 88% of US CEOs are worried that cyber threats could impact growth prospects.1 How can companies and boards stay on top of this complex and dynamic situation?
Boards understand the potential severity and damage a breach can do, and they’re getting a better handle on how to oversee cybersecurity issues. Our annual survey of nearly 800 corporate directors revealed that 83% say their boards are at least moderately engaged with overseeing the risk of cyberattacks, but there is often a knowledge and translation deficit that can weigh on directors. So they need to talk to management and ask questions. And they need to realize that the issues for discussion are constantly evolving.
Here are eight issues related to cybersecurity that directors are asking about:
1) Due care – What does exercising due care mean in the context of cybersecurity and privacy?
There’s no established due care standard when it comes to cybersecurity, and governments and regulators don’t provide general guidance that board members can follow. So how do boards know if they’re doing a good enough job when it comes to cybersecurity oversight? For one, boards should treat cybersecurity as more than just an IT risk; a breach can impact the entire company, so it should be considered a broad corporate risk. Boards should determine and understand who on the board is responsible for technology risks, including cybersecurity. Often, it’s the whole board. The board should work with management to think through what information it needs to effectively oversee cyber risks including considering whether the company should adopt a framework of standards by which they can assess their compliance, such as the NIST Cybersecurity Framework, and, ultimately, improve the company’s cybersecurity program.
2) Board briefings – Who should meet with the board to discuss cyber risks?
While directors say they have a decent handle on the risk of cyberattacks, two-thirds say they’re “not very” or only “somewhat” comfortable that management provides the board with adequate reporting on security metrics.2 Boards can proactively address this disconnect by meeting with the company’s top technology people, such as the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO). In fact, 25% of directors say they meet with the company’s CIO at every formal meeting, up from 18% in 2012. Boards may also want to consider meeting occasionally with outside advisors to get additional insights on the latest trends and risks.
3) Insider threats – What has the board done to mitigate insider threats?
Company insiders can be dangerous threats when it comes to cybersecurity. Some nation-states have even planted insiders to try to steal intellectual property, customer data, and trade secrets. Companies are also using technology, such as data analytics and insider threat detection programs, to detect any unusual behavior. Boards will want to ask management how it monitors insider threats.
4) Third-party risk management – How do we ensure that the data our third parties handle, store, and transmit is reasonably protected?
Another weak link can come from the company’s service providers, consultants, suppliers, and contractors—who typically have access to sensitive information on the company’s network. Nearly one-third (31%) of directors say they’re not very comfortable that their company has identified the parties who might attack the company’s digital assets.3 Boards will want to understand how the company selects, vets, and monitors third parties. They’ll also want to understand the legal liabilities related to third-party cyber breaches.
5) Cyber insurance – What does it cover, and will insurers continue to cover you?
The frequency and severity of cyberattacks has many companies starting to consider and actually purchase cyberinsurance. But some companies remain wary of the idea because cyber risk is so different from other risks and there’s not much publicly available data to really measure the impact of cyberattacks. Still, the cyberinsurance market is expected to reach $7.5 billion in annual sales by 2020—from $2.5 billion in 2015.4 More boards are discussing their company’s cyber insurance coverage: 53% of directors say their board has discussed it, up from 33% a year earlier.5 Boards will also want to understand how the cyberinsurance market may change as underwriters become more sophisticated.
6) Information sharing – Do companies share breach experience or solutions with competitors? Do they communicate with the federal government about threats and intelligence?
Worries about cybersecurity have many CEOs thinking about other approaches. Collaboration is one way companies can learn more about what’s happening around the industry and marketplace, and CEOs are warming up to the idea of collaboration between business and government about cybersecurity strategies. Boards should ask what the company is doing to learn from others and how the company is using other companies’ experiences to try to improve its own resilience and cybersecurity.
7) M&A – How does cybersecurity factor into M&A?
In a merger or acquisition, it is important to understand what you are buying. Are you buying a company with strong cybersecurity or are you buying something that will put your company at risk? Cyberattackers may also try to compromise a target company in order to gain a foothold in a larger, merged entity. Directors will want to ask management how cybersecurity is analyzed in potential transactions. If their company is the acquiring company, boards will want to ask for breach information from the target company. Directors will also want to press management to think about cybersecurity consequences far earlier than normal in the deal cycle.
8) Incident response/breach notification – Does the company have a cyber response plan in the event of a breach? What does it entail?
Things can—and do—go wrong. A security breach can cause serious damage to a company’s reputation and its stock price. Boards should discuss with management the company’s incident response plan and what it entails regarding cybersecurity. Only one in four directors say they’re “very comfortable” that the company has adequately tested its cyber incident response plan,6 so boards should discuss how management tests the plan and how it could be improved and more effective.
While these are the hot questions on the minds of directors today, cybersecurity is a very fluid topic. One of the most important things a board member can do is stay on top of the issues—even if it is like playing Whac-A-Mole.
1 PwC, 2016 US CEO Survey, January 2016.
2 PwC, 2015 Annual Corporate Directors Survey, October 2015.
3 PwC, 2015 Annual Corporate Directors Survey, October 2015.
4 PwC, Insurance 2020 & Beyond: Reaping the Dividends of Cyber Resilience, September 2015.
5 PwC, 2015 Annual Corporate Directors Survey, October 2015.
6 PwC, 2015 Annual Corporate Directors Survey, October 2015.
Follow @paula_loop on Twitter
© 2016 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
Published on August 03, 2016.
