Digital Guardianship: Enhancing Board-Level Oversight for Cyber Resilience – 23rd January

At our last webinar “Digital Guardianship: Enhancing Board-Level Oversight for Cyber Resilience”, our panelists exchanged about there respective experience and thoughts regarding cyber-resilience considerations in the boardroom. Read below a summary of the event and watch the recording of the session: https://youtu.be/8CiufzynPEc

The webinar started with a presentation of the first results from the survey conducted jointly with the MIT Sloan School of Management, Digoshen and ILA, the Directorship institute of Luxembourg. It was then followed by a presentation from Kari Pearlson (MIT Sloan) on the importance of building cyber resilience and having a cyber-score card. This presentation was followed by insights from Jan Wäreby (Professional Chair and NED) and Martin Althen (President Securitas and NED).

In short, the presentation raised several dilemmas and strategies to address them were discussed:

·       Ineffective Cyber Risk Management: Dilemma of information and competence to judge cyber risks & resilience 

• Education is key! Request your chair person to get a training budget and program dedicated to Directors of committees and Board.
• Human factor is the most prominent with security threats, it is also the best defense if people are well and continuously educated: ask for education metrics
• Depending on your context, hire a cyber literate director or expert.
• At least, beyond details and cyber specific points, challenge the cyber-risk assessment process and cyber management routines, request business and stakeholder-level impact description.

·       Complex Communication During Cyber Incidents: Dilemma being internally informed involved, external contacted & expectations

• Define a policy framing the right delegation and escalation rules up to the board, based on impact severity
• Designate a single point of contact and backup within the board (or a committee, i.e. risk and audit)
• Ensure the policy includes follow-up routines including reporting rules, and ready-to-use material and communication links, including contact details of all stakeholders to be appointed in case of crisis

·       Lack of Practice in Incident Response: Dilemma of gap between theory and practice, ineffective at response and not included in plans 

• Define policy for regular drills, involving the board and including lesson-learned and improvement plans, to be steered by the Board or relevant committee
• Incidence response can be planned, but can quickly run outside of them: challenge the selection process of designated people for crisis management and their preparedness training program

·       Evolving Nature of Cyber Threats: Dilemma staying sufficiently informed to effectively oversee, balanced with time and investment required for all board responsibilities.  

• Continuous education is key, especially for boards and executives for 2 reasons: as at risk person and as accountable person
• Besides threats, make sure the reasons for threats are understood and monitored

·       Balancing Cybersecurity Investments: Dilemma of how to determine the appropriate level of investment. And how to judge insurance coverage 

• Risk tolerance definition is the fundamental indicator to assess financial considerations
• Insurance, if accepted, does not transfer the risk, rather it may reduce the impact. A Cybersecurity management capacity is a prerequisite to get a policy, hence it does not replace upfront and continuous investments

·       Liability and Regulatory Compliance: Dilemma to understand legal liabilities and evolving regulatory compliance across jurisdictions

• Make sure security management frameworks, including risk management, are based on international standards, making compliance easier to manage and reducing cultural gap effects

Above all, as risk is about the known threats, what about the unknown? Cybersecurity is moving very fast, new threats can emerge at any time without the capacity to prevent specifically. This is where resilience capacity is crucial: embrace uncertainty-ready culture, starting from the boardroom. Uncertainty-ready culture is radically different than risk management, based on the “known”: it focuses on capacities and “crisis-oriented” decision making framework.

At the end, the board needs an appropriate balanced scorecard, making oversight process more affordable, while it should simplify the communication with involved executives too! To be effective, it should integrate the risk management and the security management frameworks, enabling transparent relations between execution and controls.

Learn More

• Harvard Business Review (HBR) article on the Board-level Balanced Scorecard for Cyber Resilience
• Sloan Management Review article on Cyber Resilience
• HBR Article about the gap between CIO/CISOs and Directors.  Title is: Boards are Having the Wrong conversation  
• HBR Article using the NIST Model as a framework for a cybersecurity strategy: 7 Pressing Cybersecurity Questions Boards Need to Ask
• HBR Article about how companies can prepare for a cyber incident: Cyberattacks are Inevitable.  Is your Company Prepared?
• Academic article with the framework and a case study of Liberty Mutual and their cybersecurity culture: framework (and case study) for cybersecurity culture

About Boards Impact Forum and the blogpost

Events arranged by Boards Impact Forum in collaboration with World Economic Forum (Non Profit Board Network, partnering with Board Networks , INSEAD Corporate Governance Centre, Digoshen and Next Agents )