The board has a bigger role to play in promoting organizational cyber resilience

©Kiwis/iStock/Getty Images Plus

It’s no surprise that as the cyber threat landscape continues to evolve alongside the adoption and integration of new technologies, the risks companies face in keeping their organizations secure also evolve. This is a trend that has been observed for some time and which companies are taking note of: more than 70% of respondents to PwC Global Digital Trust Insights Survey observed improvements in cybersecurity over the past year. It is certainly a step in the right direction as the threats continue to escalate.

In today’s environment, you are much more likely to have been impacted by a breach than not. In reality, one in four companies (27%) worldwide have suffered a data breach costing $1 million to $20 million or more in the last three years. And despite their heightened awareness and increased focus on cybersecurity, only 40% of senior executives say they have fully mitigated the risks of their bold actions. In other words, there is still work to be done.

Teamwork is integral to the best way to navigate this landscape of increasing risk. This requires CISOs and the rest of the C-suite to work together as a cohesive unit to build cyber defenses and resilience. This requires the C-suite to keep the board informed and understand their role as a key stakeholder. For board members, the task is to keep abreast of the latest key risks facing their organization. The best boards understand how these risks are managed, what questions they should ask, and how best to deliver cyber security monitoring for their organization.

Here are some tips to deepen the board’s understanding of the organization’s cyber posture and position them to help build the company’s cyber resilience:

  1. Understanding the Cyber ​​Risk Management Program

A majority (59%) of administrators say their board is not very good at understanding the drivers and impacts of cyber risk on their organization. And yet, according to PwC Annual Survey of Corporate Directors, more than 90% of administrators are confident that their organization keeps abreast of cyber defenses, has identified its most valuable digital assets, and has sufficiently tested its resistance to attacks. This over-reliance on boards, coupled with the admission that they may not fully understand all the risks facing their business, is a risk in itself. This could cause the board to pay insufficient attention to its cybersecurity risk management program, leaving its organization more vulnerable.

Boards should ask:

  • What are or are the main threats we need to be aware of? What motivates them? How do we respond to these threats?
  • Do we have a policy for when we [the board] are notified of a breach or other cyberattack? Do we understand and agree with this policy?
  • Have we reviewed and tested the management cyber response plan?

Boards need to be able to identify and understand the key threat actors impacting their organization, what motivates them, and what the business implications are if their organization is targeted. These answers can help boards understand the company’s potential vulnerabilities and therefore better understand the top cyber risks that can then be part of the company’s enterprise risk management program.

  1. Ask for transparency

As a key stakeholder in the executive suite, boards can become guardians of cybersecurity transparency. Administrators, customers, investors and regulators are hungry for transparency and demanding more and better information, especially in the form of disclosures about cyber incidents, policies and practices.

Here’s how tips can help foster more transparency:

  • Ask how the CFO, CISO, CIO, and other executives are preparing for the required cyber disclosures that will almost certainly be coming soon.
  • Discuss how current cyber risk management practices and disclosures align with the SEC’s proposed rules, and whether there is a plan to close those gaps.
  • Ask the CISO to speak your language and be prepared to learn theirs. Request for observation or participate in all tabletop exercises to better understand management actions/decisions during a cyber event and the organization’s overall resilience plan.
  • Hold private one-on-one sessions with the CISO to build a stronger relationship and ask questions about what keeps them up at night, so they can take action.

The SEC seeks further information to help stakeholders understand how a company manages its cyber risk exposures. The C-suite understands the important role that transparency plays in building trust with stakeholders. In fact, 80% of senior executives agree that mandatory cyber incident disclosure, with comparable and consistent formats, is necessary to build trust.

  1. Reassess Board Oversight Approach

Periodically reassessing the board’s oversight approach to cybersecurity can help improve effectiveness. Every organization is different. Some boards task the audit or risk committee with overseeing cyber risk, while others leave it to the full board. In other circumstances, a new committee is created to oversee the organization’s cyber posture. Whatever approach your board adopts, it is important to regularly assess its functioning, determine whether changes need to be made to improve effectiveness, and determine whether or not directors have the expertise required to ensure meaningful monitoring.

Enter: Development and Education: Assessing whether to add cybersecurity expertise to your board is important, but ensuring the entire board has access to educational resources and resources is critical. developmental opportunities to deepen your understanding of the ever-changing cybersecurity risks facing your organization. Bring in outside experts to help the board or one of its committees better understand and manage cyber risk.

Administrators can improve their cybersecurity knowledge through:

  • Participate in regular discussions with management on the biggest threats facing the business, third-party risk migration plans, active observation of tabletop exercises, etc.
  • Attend cyber risk conferences and/or external trainings to keep abreast of protocols and current events from the director’s seat.
  • Request presentations from leading external experts and/or law enforcement to better understand the latest trends
  • Solicit peer perspectives – connecting with fellow directors from other organizations can help broaden the perspective of the board

Make no mistake: the threat landscape is changing, and rapidly. Although 40% of business leaders surveyed in our recent PwC Pulse: Managing business risk in 2022 have ranked cybersecurity as the number one serious risk facing their businesses, increased awareness of these risks is not enough to mitigate them. Both the board and the C-suite have an important role to play in navigating this growing threat environment. Their collective effectiveness depends on how much they are willing to invest and collaborate. It can be difficult to accurately predict when or what the next threat will be, but with a better understanding of cyber risks, education, transparency, and frequent reassessment of the board’s cybersecurity oversight approach, boards and management teams can work together to build organizational resilience.

Joe Nocera is Partner Leader, Cyber ​​Risk & Regulatory Marketing at PwC and Maria Moats is Governance Insights Center Leader at PwC.

Aubrey L. Morgan