If this past year has taught us anything, it’s that preparation and resilience are key. With increased digitization came a new wave of ransomware attacks. The latest threat, the Log4j vulnerability, which allows attackers to access and control systems remotely, is causing a mad dash as companies scramble to patch the software, and identifying all the systems in need of the patch has been far from simple. This threat is pervasive, and will require a lot of time to fix. The implications of Log4j will be among the significant drivers of the cyber challenge facing boards and executives teams in 2022. The challenge will be navigating cyber as a risk, and how boards respond to meet their fiduciary responsibility.
Vulnerabilities like this recent software bug underscore the importance of an agile approach to cybersecurity and risk management. Any organization’s cybersecurity strategy needs to evolve to keep pace with the ever-changing threat landscape that seems to grow more sophisticated by the day. And the board’s oversight role needs to expand accordingly as management fine tunes their cybersecurity strategy. Yet, many board members do not realize that oversight of their company’s cybersecurity and risk management strategy needs to be an integral part of their duty of care. Many corporate directors are still unsure of the exact risks facing their organization, how prepared their company is for an attack and how quickly the company can get back to its operations if one were to occur. And in our current environment, that simply won’t cut it.
The truth is that boards and management teams will need to make some very big decisions around cybersecurity this year. So how can boards equip themselves with the tools they need to make good decisions as stewards of their organization? Here are four key practices directors should bear in mind to help fulfill their cybersecurity duty of care and to help keep their organizations as secure as possible, no matter what lurks around the corner.
1. Understand and oversee management’s risk appetite and stay informed
Boards and executives know that they should take cyber very seriously, but that acknowledgement doesn’t always translate into clear policies, processes and action. In order to better understand and evaluate the effectiveness of their company’s ransomware policies and incident response plans, board directors need to commit to their own education on the subject. Directors themselves told us in our Annual Corporate Directors Survey that their cybersecurity knowledge is limited—with only 33% of directors surveyed saying they understand the cybersecurity vulnerabilities that pertain to their company. And executives, particularly those most knowledgeable on the topic, are also concerned about directors’ acumen in the area. According to our Executive Survey, 54% of executives in charge of technology or IT said directors don’t understand cyber risks, compared with 43% of executives overall. With the limited understanding of cybersecurity and the increased threat landscape companies face, education and training on cybersecurity is essential.
Companies should identify opportunities to upskill board directors on cybersecurity issues to increase their knowledge around cybersecurity and cyber risk. Likewise, board directors should seek out a variety of internal executives and managers—in addition to third-party advisers, assessors and auditors—to understand the full impact of an organization’s cyber risk.
Once directors have a firm understanding of the risks that impact their organization, they can better oversee, assess and even challenge the business processes, risk mitigation strategies and policies management has in place to keep vulnerabilities at bay.
By nature, attacks and breaches have the upper hand because they catch us off-guard. Although it’s impossible to predict the exact trajectory of an attack, basic cyber hygiene can help to reduce the likelihood of an attack, or at minimum, minimize its impact on the business. Part and parcel to basic cyber hygiene is making sure the board is asking the right questions long before an attack occurs. These questions are a great place for boards to start:
- Do we have a policy on when the board is notified regarding a ransomware/ cyber attack?
- Do we as a board understand and concur with that policy?
- Has the board observed/participated in a tabletop exercise to understand management’s actions/ decisions during an event?
- Has the board reviewed the response plan?
Cyber is part of a broader risk management enterprise and it shouldn’t be siloed, or rest solely on the shoulders of directors who are former CISOs. In today’s digital world, IT and cyber should be seen as the central nervous system of every company. It’s this cross-enterprise view that will help boards, along with executives, better understand how a risk is affecting different parts of the organization, and that can’t be done by one individual, or even a separate cyber sub-committee.
2. Work as a team and practice, practice, practice
A successful cybersecurity strategy is a living, breathing thing. There is no such thing as a “set it and forget it” approach to cybersecurity. Once the management team has established clear policies and processes, the board needs to make sure they get visibility into the residual risks impacting the company.. Board oversight into these risks is key to building effective incident response plans because it gives directors the full view of the environment and its vulnerabilities so they can decide how comfortable they are with the associated risks and if they are willing to live with the consequences if an attack occurs.
While boards may not be involved in the execution of their organization’s cybersecurity plans, they can play an active role observing management’s tabletop exercises. Whether the board directly oversees these tabletop exercises or gets feedback from management on how they went, these exercises provide directors with a good sense of how the organization would react if an attack occurs. They pull together all the stakeholders from across the company to bridge any gaps—from the information security team and operations, to communications and compliance, legal and privacy—and help provide a holistic view, bringing to light anything that may have been overlooked. When a business disruption occurs, like a ransomware attack, everyone is engaged—and the learnings from these exercises provide the board with confidence in management planning, decision making, and posture to deal with an incident so that the board can meet their fiduciary responsibility.
3. Evaluate risks and see that management spends accordingly
Increasing cybersecurity spending can help mitigate risks and protect the organization from harm. In fact, according to our latest Digital Trust Insights survey, a staggering 69% of organizations expect their cyber budget to increase in 2022, with 26% of those expecting a jump of more than 10%. But money alone is not the answer. The board needs to challenge management about not only how much they are spending, but also where they are spending it.
In order for boards to evaluate the effectiveness of their company’s cyber program and whether or not the investments the organization has made are the right ones, they need management to share the prioritized cyber risks. This matrix should look at cyber risk in the context of the impacts those risks have on the business in terms of revenue, business interruption, customer confidence, reputation and brand risk, while simultaneously taking into account the priorities set by management for particular risks and the investments made to address those risks.
In a perfect world, the greatest investments and the greatest priorities are the highest impact items, but often there can be gaps in that alignment. If there are gaps, management and the board need to work together to make adjustments, either to the investment or the prioritization, to make sure investments are aligned with the greatest impact.
4. Get ahead of regulation
Addressing cybersecurity oversight as a fiduciary responsibility for the board is more important now than ever before. Recently, regulators have been holding boards accountable for their lack of cybersecurity oversight. Directors should take steps to make sure that cyber oversight is always on the board’s agenda, always top-of-mind and never an afterthought. This will be key to avoid these kinds of penalties and will help make sure the board continues to understand how to keep the organization protected against foreseeable harm.
Waiting to beef up cybersecurity oversight until it’s mandated is a luxury that boards and their respective companies can no longer afford. Whether your organization is restructuring a plan or building a new one, there is so much regulatory change that needs to be taken into account, and it’s important that boards are constantly being updated on how the environment is changing. It is imperative that this stays on the board’s agenda and that they hold management accountable for keeping them looped in.
Any breach or security incident can cause pandemonium while it’s happening, and it is impossible to predict exactly how or when it will unfold. The silver lining to the Log4J situation is simply that we know about it. And we know that it will likely be the driver of the many of the issues that boards face in the year to come. We don’t know what else is in store for us as the threat landscape continues to evolve. That’s why the board’s role in overseeing cybersecurity risk is a pivotal component in how businesses can better prepare for what comes next.
Organizations across all sectors have to be prepared to respond to an attack if and when it occurs, so they can resume business operations quickly and securely. At the end of the day, there is no doubt that it is within the board’s duty of care to provide meaningful cybersecurity oversight and to hold management accountable. When management and boards work in harmony, they can provide shareholders with the confidence that cybersecurity risk is being addressed appropriately.
Sean Joyce is US and Global Cybersecurity and Privacy practice leader with PwC. Joe Nocera is Leader of the PwC Cyber & Privacy Innovation Institute.