cybersecurity

“A board’s failure to manage cyber risks could create a threat of litigation against a company or lead shareholder groups to advocate the ouster of board members.” – former SEC Commissioner Aguilar

Cybersecurity risk is a business risk. It is critical that your executives, C-suite, and board members alike are all actively engaged. Cyber risk is an enterprise-wide issue, and no company is immune to the threat of a breach. The sooner your board gets on board, the better off your organization will be.

The global cost of cybercrime is expected to reach $6 trillion annually by 2021. The threat environment is becoming more complex as hackers use sophisticated new tactics. Cybersecurity attacks are among the gravest risks that businesses face today. The EY 2019 CEO Imperative Survey found that CEOs ranked national and corporate cybersecurity as the top global challenge to business growth and the global economy.

In the past at their best, boards have broached the subject of cyber risk during meetings, and at worst, have completely ignored it. As cyber incidents, and in turn, lawsuits related to these incidents, continue to rise, the most successful organizations have made the topic a regular agenda item. Particularly since recent opinion is that boards have a fiduciary responsibility to exercise appropriate oversight on cybersecurity risks.

Overseeing Cybersecurity

A board should oversee cybersecurity just like it does any other significant risk to the company. That means discussing the top cyber risks with management. It also means understanding how management implements controls and other measures, such as cyber insurance, to bring the level of risk to an acceptable level, both for the company and the brand.

As your board oversees how management identifies, prioritizes, and monitors cyber risk, here are some recommended areas to focus on:

  • Address cybersecurity as a business-wide issue, not just an IT one
  • Have an oversight approach with access to cyber expertise
  • Understand the legal implications and regulatory compliance requirements
  • Discuss the current cybersecurity strategy and update as necessary
  • Get the right information to monitor the cyber and privacy program

Cybersecurity is Everyone’s Issue, Not Just IT

Ideally, cybersecurity discussions should include the entire business unit, technology and risk management leaders, as well as, the CEO, CFO and other executive leadership.

If recent global security breaches impacting over 200,000 computers in 150 countries, costing millions are anything to go by, it could not be clearer that cyber security impacts businesses as a whole, not just IT departments.

Businesses need an approach that integrates cyber protection into all aspects of the organization, from the IT department to employee training to security policies. Most risk management consultants would tell a board that a culture of compliance starts at the top. It needs to be a companywide concern, and everyone from the top down needs to be invested.

Developing a cyber secure environment requires input from governments, leaders, businesses, and consumers. Yet, for businesses wanting to take the first step towards a safer cyber environment, input is needed from all areas of the business to strengthen the preventative strategies against an attack and mitigate major interruption to business operations when the inevitable happens.

Who Will Oversee Cyber Risk?

The first step is to determine if the entire board will oversee cyber risk or if it will delegate to a committee. If oversight is done by a board committee, it is important that the full board get regular and comprehensive updates.

It is also important to ensure your board has access to the expertise it needs on the subject.

Some boards recruit a director with a technology or cybersecurity background. Many boards get continuing education on the topic, from the company’s CSO and/ or from outside advisors. Boards can also take advantage of private sessions with the CSO for sensitive conversations.

Many of LightEdge’s customers works with LightEdge’s IT security and compliance consultants to strengthen their company’s risk mitigation and compliance story.

It’s more difficult than ever to meet the complex demands of compliance and security, especially with evolving threats, vague regulatory guidance, and limited resources. Luckily, you can trust in LightEdge’s highly trained Compliance and Security experts to take the guesswork out of protecting your business.

Security and compliance consulting services can meet a range of needs, including risk management, information security, audit preparedness, and audit support. Security professional services simplify the process of improving an organization’s security posture by helping their board:

  • Make sense of security and compliance frameworks that apply to their business or industry
  • Identify business risks, taking into account the role of their hosting service provider
  • Determine which security controls are required to mitigate their identified risks
  • Improve collaboration and communication during security event mitigation and incident response between their business
  • Establish the necessary framework to maintain and continually improve their information security program over time based on evolving scope and emerging risks
  • Document and track efforts for evidence collection and audit preparation

Understanding Regulatory Compliance Requirements

Nearly all U.S. states and many countries have laws requiring entities to notify affected individuals when there has been a security breach involving personally identifiable information. The data breach notification laws are not uniform and can change, making it a challenge to keep up to date. Plus, many states are now passing their own cybersecurity regulations.

In 2018, the General Data Protection Regulations (GDPR) was enacted into EU law. In addition to the GDPR regulations, the California Consumer Privacy Act (CCPA) was created in 2018 and went into effect on January 1, 2020. The CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California.

The penalties for noncompliance can be stiff. For example, businesses that fail to comply with GDPR, face potential fines of up to 4 percent of global revenues.

Boards will want to understand the basic regulations around data privacy and cybersecurity. More importantly, directors will want assurance that management is tracking the evolving requirements and is able to comply.

Compliance can be costly, time consuming, and complicated. Thankfully, compliant hosting providers can remove some of the compliance burden for you. The percentage of companies that disclosed the use of an external independent advisor regarding cybersecurity matters held fairly steady at 12 percent in 2019 versus 13 percent in 2018 reported EY.

Discuss the Current Cybersecurity Strategy

The board should be briefed periodically about the company’s cyber strategy. Directors will want to know how the cyber strategy ties to the company’s business objectives.

During this discussion, the board will also want to touch on whether the cybersecurity budget is sufficient to support the strategy.

In PwC’s Digital Trust Insights survey, published in October 2018, most respondents responsible for communicating with the board on cyber and privacy risks say that their company has provided the board with strategies for cybersecurity (80 percent) and privacy (83 percent). But 30 percent of directors say their boards are not sufficiently or not at all engaged with overseeing/understanding the cybersecurity budget.

Company CIOs and CISOs are often key to cyber strategies and plans. And 71 percent of the directors whose companies have a CIO say they communicate with that individual at least twice a year; 60 percent of directors whose companies have a CISO do likewise.

Get the Right Information to Monitor the Cybersecurity and Privacy Program

The board should understand the company’s IT environment and data assets. Board members should also understand the risk posture of the organization. With this background, management can provide updates on security projects, how well security efforts are working, and how they are impacting the business. Boards should expect metrics that map to these areas.

In addition to internal metrics, the board should expect management to communicate how external factors affect overall risk posture and effectiveness of risk reduction activities. These factors include threats and third-party risk and regulations.

Unfortunately, only 37 percent of directors are very comfortable that the company is providing them with adequate reporting on cybersecurity metrics reported PwC.

Risk That Boards Face

Lawsuits are not uncommon after a breach. Victims want to seek justice. Boards continue to face lawsuits related to their duty of care or oversight.

In July 2019, Capital One disclosed a breach that involved the personal information of over 100 million customers in the U.S. and another 6 million in Canada. Following the disclosure, the company’s share fell nearly 6 percent reported the Wall Street Journal.

In October, a shareholder filed suit alleging a number of statements Capital One made about its data security in its SEC filings were materially false and misleading.

These lawsuits raise a number of questions related to the board’s cybersecurity efforts. Ideally, the board will be able to show it was proactive about cybersecurity.

In addition to litigation, board members need to be prepared for compliance risks. Federal privacy legislation has been discussed in great depth, but has yet to pass, which means companies must be prepared to comply with the patchwork of state and foreign regulations currently in play. That is a daunting task without board assistance.

Challenges Board Members Must Face

Expertise and insight are necessary for a board to make informed decisions related to cybersecurity. Without it, organizations are likely to face the risk discussed above. To bridge this gap, communication must be clear between the CSO and board. It is not only important for board members to understand security risks, but for the CSO to explain them in laymen’s terms.

Another challenge that boards must face is the ability to quantify the financial risk associated with a cyber incident. Reputational harm, business interruption from ransomware attacks, and class action lawsuits are just a few of the potential consequences of a breach.

The chances that an organization will experience on the incidents above is high, so in case your forgot, cybersecurity risk is leadership risk.

LightEdge can Help Get Your Board on Board

With the new regulations empowering users to protect their data, it is finally time for better data privacy. Let LightEdge help you safely and securely store your data. Whether you are looking for a top-tier colocation service provider or a world-class hosting and cloud provider, LightEdge has got you covered.

LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.

Our LightEdge facilities are more advanced than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.

Customers turn to LightEdge to reduce risk of non-compliance, scale security, and for the predictably and cost-effectiveness. LightEdge provides customers with an extended team of experienced engineers and helps to focus resources on agility and differentiation. Are you curious how your current provider stacks up? No two businesses are the same. At LightEdge, we work with you to find the right mix of control, security, and cost for your Cloud Hosting and IT service needs. Contact us today for your free security assessment.


Related Posts

Share This Article
director of compliance
Michael Hannan

Michael has eleven years of information systems, IT, consulting, and compliance experience. His expertise includes identifying and implementing general IT systems, applications, and business controls in conjunction with external compliance audits.

Michael is currently the Director of Compliance at LightEdge, helping to establish, maintain and, enforce the information security policies and procedures that keep LightEdge customers protected at all times.

See Full Bio