Board members, the cybersecurity metrics and the “activists” (By François Gratiolet, Cyrating)

Cyber-attacks are popular in terms of frequency, business impacts and visibility. When reading the headlines, senior executives are becoming more and more anxious regarding data breaches.

(Lack of) cybersecurity may even jeopardize members of board of directors. Thus, for instance, in the U.S., in the five recent years, shareholders have initiated litigation against the directors of the Target, Wyndham Worldwide, TJX Companies, and Heartland Payment Systems. The data breach has cost the Target corporation a significant drop in its profit, which was estimated around 40% in the 4^th quarter of the year. As a consequence, the CEO was dismissed. Then after, shareholders of Target urged to oust seven of Target’s ten directors for “not doing enough to ensure Target’s systems were fortified against security threats” and for “failure to provide sufficient risk oversight” over cybersecurity.

More recently, summer 2017 has been overwelmed by data breaches. Large organisations such as Saint-Gobain, Renault, FedEx, Maersk, National Health System in the UK, Deutsche Bahn, Telefonica faced +100M€ of damages. Equifax lost more than 5B$ market cap in 2 days, the Equifax CEO, CIO and CISO quit the company.

Because comprehensive European regulation such as GDPR and NIS directive will be effective in May 2018 with fines up to 4% of global turnover, we can probably assume that this phenomenon will accelerate and entry European markets, jeopardizing board members.

Another risk that board of directors face is “activist” shareholders. They can make alliance to challenge re-elections of directors when it’s perceived that they didn’t do enough to prevent a cyber-attack. Indeed, on behalf of shareholders, role of the board of directors is all about governance, i.e. to control and oversight business strategy related decisions and to manage efficiently risks.

According to the New York Stock Exchange’s definitive cybersecurity guide (October 2015), board of directors mainly fails:

• to implement and monitor an effective cybersecurity program;
• to identity and protect company assets and business by recklessly disregarding cyber-attack risks and ignoring red flags;
• to implement and maintain internal controls to protect customers’ or employees’ personal or financial information;
• to take reasonable steps to notify individuals in a timely fashion that the corporation’s information security system had been breached.

Because cybersecurity is becoming a genuine business risk, it needs to be addressed with a strong and professional risk management approach. Early January 2017, the World Economic Forum advocates to leverage cyber resilience principles and tools for boards.

Indeed, unlike any other business disciplines (sales, marketing, finance, etc.), cybersecurity suffers from a lack of objective data points and KPIs.

In October 2017, E*TRADE Board Member, James Lam, stated to Forbes that “he would like to see more cyber risk metrics and analyses, including expert commentary from the CIO and CISO, on the threat environment, risk exposures against risk tolerance levels, and effectiveness of key controls” and that “he would also like to see assurance metrics on overall program effectiveness and early-warning signals on future threats”.

Therefore, board members should receive from the CIO and CISO periodic cyber risks updates through objective metrics, and should have also access to external cyber services whose expertise and experience board members can rely on in making decisions about what to do (or not) to manage cyber risks.

It will enable board members to stay involved in the corporations’ cybersecurity program and to engage themselves in a higher level of support with the risks associated.

Because board members will be more involved, it will promote cybersecurity, and engage senior management, middle management and finally ALL employees.

As a whole, it will improve the overall resilience of the corporation, and we can expect that it will bring more value to shareholders, which will better protect board members from « activists » shareholders.