This is the second in a series of blogs distilling the cybersecurity advice for boards of directors contained in the new Cyber-Risk Oversight 2020 Handbook published by the National Association of Corporate Directors and the Internet Security Alliance.
By Larry Clinton
In 2015, ISA, along with Georgia Tech, the New York Stock Exchange, and Palo Alto produced Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, which categorized cyber risk for directors into three categories: 1) Data loss/disruption; 2) reputational risk; 3) Legal and regulatory risk. Principle 2 in ISA-NACD’s new Cyber-Risk Oversight 2020 focuses exclusively on legal and regulatory risk.
It is critical to understand that while there are legal and regularly risks associated with unreasonably inadequate corporate behavior this legal, regulatory risk is almost completely distinct from the more dangerous cyber-affiliated risks. An organization can lose or have data significantly compromised and suffer reputational harm without running afoul of any regulatory requirements. Similarly, in light of a data breach, costly lawsuits can be filed against an organization even if there is no significant data or reputational harm, simply because the organization is out of compliance with a regulatory requirement.
So, while boards need to monitor management to assure they maintain regulatory compliance they must also understand regulatory compliance is not the same as, and does not guarantee, security.
There are three major themes that are articulated in Principle 2 of the new cyber-risk handbook.
- Boards need to keep apprised of the quickly evolving, and often uncoordinated, cybersecurity regulatory structure
- Boards should make use of reasonable tools to oversee management’s compliance with their unique regulatory obligations and be able to demonstrate such.
- Boards need to be aware that managements assurance of compliance can be easily misinterpreted to suggest that their networks and data are actually secure.
As the new ISA-NACD handbook points out, there is certainly legal regulatory cyber-risk that boards need to be aware of. “High-profile attacks may spawn lawsuits, including (for public companies) shareholder derivative suits accusing the organization of mismanagement, waste of corporate assets, and abuse of control.”
The legal risks engendered by inadequate cybersecurity are largely a response to the fact that there is not a consensus regulatory structure for addressing the novel stresses created by cyber-attacks and the vacuum of clarity as to who or what should be in charge. As a result, over the past few years an uncoordinated and disparate regulatory structure has emerged around the world. Boards need to be aware that their organizations legal obligations may be quite unique from other companies based on the specific sector they serve, the location of their operations and even the locations of their customer base.
There has also been a substantial expansion of international requirements some of which carry very substantial penalties. Perhaps most prominently the General Data Protection Regulation (GDPR) in Europe as well as other unique regulatory structures in Latin America and Asia. These are addressed in a comparatively light way in the ISA-NACD handbook but are addressed more fully in region-specific handbooks for Germany, the UK, and Latin America, as well as a pan-European edition of the handbook which will be published this month by ISA and the European Confederation of Directors Associations (ecoDa)
The new handbook substantially expands the descriptions of requirements associated particularly with respect to guidance provided by the Securities and Exchange Commission. However, it is beyond the capacity for the ISA-NACD Handbook to address the numerous states, and even municipality-based requirements that may exist.
Notwithstanding the growth in cybersecurity requirements, the reality is that very few significant cases have been successfully prosecuted, especially compared the enormous numbers of cyber-attacks we have had. Despite years of predictions of massive lawsuits and the leveraging of these cases to enforce changes in cybersecurity behavior, the history does not bear out much success.
Whether this history will be repeated is the matter of much debate but predictions as to the future are not the subject matter for the 2020 Oversight handbook. This handbook instead advises boards to assure oversight over management to take reasonable steps to protect data they possess and be able to verify that the board is involved in this process.
Board minutes should reflect the occasions when cybersecurity was present on the agenda at meetings of the full board and/or of key board committees, depending on the allocation of oversight responsibilities. Discussions at these meetings might include updates about specific risks and mitigation strategies, as well as reports about the company’s overall cybersecurity program and the integration of technology with the organization’s strategy, policies, and business activities.
While performing, and documenting, continuous board oversight of management’s adherence to cybersecurity requirements is an essential part of good governance in the digital age it is not an assurance that organizations are protected from cyber-attack. Most typically regulatory requirements will specify a variety of operational steps that are spelled out in standard (sometimes specifically tailored) organizational frameworks such as NIST, FISMA, ISO, and/or PCI. While these frameworks maybe required for compliance purposes their utility in preventing and mitigating cyber-attack is largely unproven.
In his comprehensive review of the literature on the effectiveness of such requirements in his book, How to Measure Anything in Cybersecurity, Douglass Hubbard concluded that:
“There is not a single study indicating the use of such methods actually reduces risk.”
Principal two in the 2020 Cyber-Risk Oversight Handbook speaks to the foundational issue of regulatory compliance. Boards obviously need to closely adhere to the recommendations covered in this section but also be aware that these compliance regimes are a necessary, but not sufficient, aspect of providing enterprise-wide cybersecurity process.