All of us in the cybersecurity business like to believe that cybersecurity is a boardroom issue and has been for the last few years. On the other hand we all know that most executives view cyber security as a technical issue to be handled by technologists, antithetical to corporate culture and a burden on doing business. Many executives still see cyber security as a checkbox exercises to be done as quickly as possible.
This was backed up by the latest ESG report “Business executives and boards drive business decisions. CISOs are then tasked with bolting on technical security controls and cleaning up messes as they occur.”
As businesses becomes more and more dependent on digitalization, effective implementation of digital risk management is becoming as critical to the business as managing financial and other risks. The question is whether the Solarwinds breach will be the risk management wakeup call as was the financial crisis of a decade ago – or will we have to wait for the next blowup before the change occurs.
Risk management failures during the financial crisis a decade ago are directly relevant to the issues of cybersecurity risk management today. At that time corporate risk managers were not regarded as an essential part of implementing the company’s strategy. Also, many boards were ignorant of the true risks facing the company. The same hold true for many of today’s corporate cyber risk management practices.
It is simple to take OECD recommendations for effective corporate risk management from 2010 and apply them to 2021 cyber risk management:
- It should be fully understood by regulators and other standard setters that effective cyber risk management is not about eliminating risk taking, which is a fundamental driving force in business and entrepreneurship. The aim is to ensure that risks are understood, managed and, when appropriate, communicated.
- Effective implementation of cyber risk management requires an enterprise-wide approach rather than treating each business unit individually. It should be considered good practice to involve the board in both establishing and overseeing the cyber risk management structure.
- The board should also review and provide guidance about the alignment of corporate strategy with cyber risk-appetite and the internal cyber risk management structure.
- To assist the board in its work, it should also be considered good practice that cyber risk management and control functions be independent of profit centres and the “chief cyber risk officer” or equivalent should report directly to the board of directors along the lines already advocated in the OECD Principles for internal control functions reporting to the audit committee or equivalent.
- The process of cyber risk management and the results of risk assessments should be appropriately disclosed. Without revealing any trade secrets, the board should make sure that the firm communicates to the market material risk factors in a transparent and understandable fashion. Disclosure of risk factors should be focused on those identified as more relevant and/or should rank material risk factors in order of importance on the basis of a qualitative selection whose criteria should also be disclosed.
- With few exceptions, cyber risk management is typically not covered, or is insufficiently covered, by existing corporate governance standards or codes. Corporate governance standard setters should be encouraged to include or improve references to cyber risk management in order to raise awareness and improve implementation.
Let’s see if Solarwinds was a bad enough crisis – or whether we’ll have to wait for something even bigger…