Business boards face exponentially increasing risks; the focus of this development is the rapid escalation of accountability of board members. Board members no longer operate safely, free of legal risks. The walls are changing.
A perfect example of the changing risk landscape is the importance of cybersecurity protection and supervision. The criminal cyberattack on the Colonial pipeline and the acceptance of the payment of more than $ 1 million to escape a ransomware attack underscore the new environment for business councils. The issue is not limited to energy infrastructure, but extends to all critical technologies and various industries. Last year, the SolarWind cyberattack highlighted another vulnerability in our nation’s reliance on software services to control and manage our Internet backbone.
Cyber risks are even more important in the work-from-home environment that has become part of our established work environment. Although this trend began in response to the COVID-19 pandemic, it is clear that office and work environments have transformed the future workplace. Risks and vulnerabilities have multiplied in response to large work populations relying on unsecured wireless home networks to access critical work resources. Virtual private networks are now used to protect critical information and data in this new work environment.
Business boards should manage cybersecurity risks, mitigate vulnerabilities, develop crisis response protocols, coordinate interactions with law enforcement when necessary, hire information and cybersecurity experts to assist in any cyber security response. emergency and ensure adequate insurance to protect against significant economic damage. This list of laundry responsibilities is overwhelming at first glance, but these issues need to be addressed.
The multiple underlying risks are discouraging but are further complicated by the growing importance of general data management and information governance requirements. Businesses face requirements to manage, store, and move sensitive data to protect it from intrusion and noncompliance, subject to global requirements that vary around the world.
Adding to this complex situation, the SEC has raised the importance of accurate disclosure on cyber and data risks that is extended to shareholders, institutional investors, delegated companies and other stakeholders. Suddenly, regulators and stakeholders are focusing on corporate governance and risk management in the area of cybersecurity and are prepared to degrade and maintain companies, their boards of directors and senior management when learn about unrestricted cyber risks. A key component of the ESG movement is now the governance of corporate cybersecurity.
In the face of this difficult environment, business boards need to understand exactly how they should do proper oversight and exercise their responsibilities. A defined framework for this effort is essential. This framework should include certain components:
- Outline: The monitoring framework should generally be defined to include the essential elements. In initiating this process, the board’s approach and efforts should be documented so that the board’s work is accurately documented. The framework should include the essential functions listed below.
- Responsibility: In most cases, audit committees assume responsibility for overseeing cyber risk. Given the importance of this role and the workload of the audit committee, a different cyber risk committee may be appropriate. Although delegated to a separate committee, the plenary must maintain a quarterly report and a review of cyber risk oversight.
- Risk and vulnerability assessment: As in all areas of risk management, the board must understand the company’s risks and vulnerabilities to cyberattacks, as well as the misconduct of internal or third-party employees. This assessment is the basis of cyber risk management and should be updated periodically to reflect changes in business, technology and information activities. The assessment must include the risks of third parties, the supply chain and all risks of business partners due to the possible vulnerabilities created by these external relationships and operations.
- Detection and response plans: Managers need to understand how they protect their companies from cyber intrusions. Specifically, board members need to understand exactly what protections exist and the ways in which the company can detect a possible intrusion. While systems may include ideas and technical issues, board members should strive to understand how these systems work and the level of protection created. A security program must be captured in writing for it to be documented and understood by board members. When vulnerabilities are identified and remediation may be needed, directors should monitor plans to mitigate these vulnerabilities and hold those responsible for resolving these issues accountable.
- Written policies and available resources: A business board should ensure that the company has established policies and procedures governing cybersecurity. These policies and procedures should reflect the cybersecurity framework established by the National Institute of Standards and Technology, along with recent executive orders addressing these issues.
- Crisis Response and Disclosure Plan: The last issue councils should consider is reviewing protocols for responding to a cyber incident, whether an attack or a data breach. The response plan should include a step-by-step protocol to protect against litigation that involved a second plan initiated by shareholders, the government, or other agents. A communication plan should be prepared to coordinate with law enforcement and make timely disclosures to regulators, key stakeholders, and the public.