Connect Us
Aug 02, 2022
Understanding how to offset, mitigate and transfer risk is the true work of executive leaders and board directors. This work becomes even more important amid increasing and evolving cyber threats. To respond to these threats effectively, boards need the right level of insights and analytics to “contextualize” them and make informed decisions around risk transfer, acceptance and management. Fortunately, risk and governance experts have provided direction for boards to effectively operate even among uncertainties.
The cyber threat surface has exploded in size and capacity because of our global interconnectedness, our reliance on devices and our increasing number of internet connected things from cars and appliances to wearables. According to Dominique Shelton Leipzig, partner and head of Global Data Innovation at Mayer Brown, 127 new and connected devices are created every second. Last year, connected devices around the globe generated 2.5 quintillion bytes of data a day, with the global economic cost of data breaches in that year at $6.1 trillion, the equivalent of the world's third largest GDP.
To respond to these threats effectively, boards need the right level of insights and analytics to "contextualize" them and make informed decisions around risk transfer, acceptance and management.
“Boards can prepare for a lot of the scenarios that seem to unfold today with greater regularity,” said Steve Roycroft, CEO of RANE Network, a provider of risk intelligence to help companies build operational resiliency. “It comes down to the operating rhythm of the company, and whether training and reporting are woven into the DNA of how the company operates. How the company embraces risk as it matures is a critical area for board oversight. It is up to the board to encourage resiliency as part of the DNA of the enterprise.”
Amid the rise in cyber threats are heightened cybersecurity regulatory activities at the international, federal and state levels. Proposed rules have been announced by the European Union (EU) and the U.S. Securities and Exchange Commission (SEC), in a growing number of states and by various industry specific regulators.
Ransomware is “an 800 pound gorilla that is consuming a lot of time and money in terms of response and containment,” according to Christopher Hetner, former Senior Cybersecurity Advisor to the SEC Chair. Hetner noted that SEC filings show mid market companies are especially vulnerable because many lack the resources required to defend themselves when compared to larger firms. Moreover, the need for board preparedness is not just reserved for public companies, private companies have increasingly come into risk, particularly ones identified as targets by private equity firms.
On March 9, 2022, the SEC proposed regulations that would require public companies to disclose how their boards oversee cybersecurity and to report cybersecurity breaches within four days of the corporation's determination that a breach is a material event. Thus, public companies and their boards need reliable methods to discern whether an incident exceeds the threshold for materiality requiring disclosure.
In addition to SEC regulations, industry specific mandates focused on earlier disclosure and awareness like the Computer Security Incident Notification (CSIN), which requires reporting of cyber risk incidents by financial services firms, are coming into effect May 1, 2022. And, just as the 2018 General Data Protection Regulation (GDPR), the security and privacy law passed by the EU which ushered in steep fines for non-compliant companies, new and stiffer regulations, such as the EU's Digital Operational Resilience Act (DORA), which targets the financial sector, are now making their way through the EU's regulatory maze.
Resources to aid executive leaders and directors to determine the material impact of cybersecurity risk quickly and accurately are essential, Hetner explained. But the market has struggled to connect the value of cybersecurity to a company's bottom line, rendering investments in cybersecurity difficult to justify. “There's a disconnect between cyber risk and business risk, and the way that's expressed in the boardroom,” Hetner asserted.
The solution lies at the intersection of the cybersecurity insurance ecosystem and arming boards with data that is going to be meaningful and actionable, informing what types of oversight they should lean into. Boards need to be provided with insights and analytics to contextualize cyber risk and incidents to business, operational and financial impacts, to make confident decisions about risk.
*The article has been authored by for the Nasdaq Center for Board Excellence by their internal team.**
The Nasdaq Center for Board Excellence is a community and collaboration environment in which board engagement is deepened and experiences are shared.
Owned by: Institute of Directors, India
Disclaimer: The opinions expressed in the articles/ stories are the personal opinions of the author. IOD/ Editor is not responsible for the accuracy, completeness, suitability, or validity of any information in those articles. The information, facts or opinions expressed in the articles/ speeches do not reflect the views of IOD/ Editor and IOD/ Editor does not assume any responsibility or liability for the same.
About Publisher
Bringing a Silent Revolution through the Boardroom
Institute of Directors (IOD) is an apex national association of Corporate Directors under the India's 'Societies Registration Act XXI of 1860'. Currently it is associated with over 30,000 senior executives from Govt, PSU and Private organizations of India and abroad.
View All BlogsMasterclass for Directors
Categories
