U.S., German, and Latin American Boards and Cybersecurity: Similarities and Differences

October 28, 2019

by Larry Clinton

In a field seemingly overpopulated with remarkably similar programs on cybersecurity, the Organization of American States, of all places, will host a unique program at their Washington, D.C. headquarters on November 8.

OAS, along with the Cyber Security Council of Germany and the Internet Security Alliance, will discuss the findings of a coordinated multi-year, multi-cultural project aimed at creating a grounded framework for how corporate boards can best address cyber threats across three continents.

The resulting framework is based on research conducted over the past three years involving more than 700 board members and cyber experts from the U.S., Latin America, and Europe. The research included half a dozen in-region workshops and 15 international webinars, as well as continual exchanges in written drafts. Associations representing corporate directors on all three continents participated in the program, as well as government agencies including the U.S. Department of Homeland Security, the U.S. Department of Justice, the German Federal Office of Information Security (BSI), and the OAS.

The research determined that the 5 core principles originally published by the National Association of Corporate Directors in their 2014 and 2017 Cyber-Risk Handbooks do provide a useful core framework for boards to use in overseeing cyber risk management. These principles call on boards to treat cyber in an enterprise-wide fashion, understand their unique legal responsibilities, access adequate cybersecurity expertise, and call upon management to provide them with a clear framework for addressing cybersecurity and conduct adequate risk assessment programs to identify what risks can be accepted, mitigated or transferred. PricewaterhouseCoopers has documented that these principles, if followed, can result in substantial cybersecurity outcomes.

However, the research also highlighted significant differences that demanded the creation of adapted versions of the handbook modeled for each region.

For example, the dual-board structures in Germany and the heightened sensitivity regarding personal privacy in Europe required substantial adjustment regarding the treatment of what, in the US version, is referred to as “insider threats.”

In Latin America, boards are often dominated by family members as opposed to the independent director model in the U.S., and broad concerns about corruption in government undermine what has become standard information sharing programs that are fundamental elements of US and European cybersecurity programs.

Belisario Contreras, Program Manager of OAS, Hans-Wilhelm Dünn, President of the Cyber Security Council of Germany, and Larry Clinton, President of the Internet Security Alliance, will discuss the similarities and differences of how boards can best implement the productive approached to cybersecurity outlined in the US, German and OAS versions of the handbooks.