April has come and gone without the SEC finalizing its expected cybersecurity regulation for public companies. Maybe the Commission is having the same concerns that we hear from some of our clients.
The draft regulation published a year ago included a requirement to disclose the cybersecurity expertise of individual board members. Many commentators were predicting that boards would be required to add cyber experts just as they are required to have directors who are qualified financial experts.
There is no doubt that cyber threats are multiplying. Or that digitization expands the ways that companies are vulnerable. Or that the losses from business interruption, theft of valuable data, and financial fraud can be enormous.
But is putting a Chief Information Security Officer (CISO) on your board the right answer? Here are some concerns we have been hearing:
Cyber risk is a strategic, enterprise risk that is the shared responsibility of the entire board of directors. While it is valuable for a board to have state-of-the-art cyber expertise, adding a cyber expert does not reduce other board members’ responsibility for cybersecurity failures.
Board members who are not pilots or mechanics oversee airlines. Non-CPAs productively interpret financial statements. Requiring every aspect of the company to have its own board expert would change the nature of the board and its activities.
Information security experts tend to have focused their careers in a vital, but narrow area. Below the C-level, they are unlikely to have acquired much exposure to governance, strategy, HR, and other key board topics.
Trewstar has placed several qualified CIOs and CISOs on boards that needed their specific skillsets. The best among them have spent years working in a variety of business units and ultimately land on the senior leadership team with plenty of board exposure. There will be more at this level over time, but today there simply aren’t enough to supply every board.
There seems to be a growing roar that says it is no longer acceptable for board members to expect someone else to understand cyber issues for them.
The question remains how non-tech directors can develop or acquire the necessary cyber understanding to fulfill their duties. There are many courses offered to help directors and we at Trewstar are going to take one ourselves to gauge its effectiveness. For a more immediate solution, we advocate for cyber advisory councils of 3-4 experts, rotating every two years, who spend around 20 hours a year with the company and board to support directors on their journey to cybersecurity competence.
One other thought:
We have historically seen little demand for General Counsels or Chief Legal Officers on boards. But perhaps the complexities of cyber legislation, regulation, litigation, and insurance will make these profiles more appealing? Broadly experienced GCs who have dealt with cyber issues have the necessary exposure to transition smoothly from management to board and can bring a useful business/cyber lens with them.