When a security/cybersecurity breach occurs in the organization, it is not the security/cybersecurity executive (who today we can identify, among other names, as Chief Information Security Officer, Business Information Security Officer, Chief Trust Officer) who goes out to face the media and inform the public opinion about the facts, but a spokesperson or a top-level executive who assumes the challenge of communicating the details of the adverse event, its impacts and how the organization has been acting to address this situation. In this sense, the responsibility is not executive, but directive and political, located in the board of directors, who will be evaluated in their work of supervision of the cyber risk and how their decisions may or may not have influenced the outcome of the possible security breach that has materialized in the company.
At this time, board members are questioned on their fiduciary duties and possible breaches of due care that may generate sanctions or legal implications in their capacity as administrator or representative of the company in front of the shareholders. Therefore, each board member should be adequately informed of the company's cybersecurity efforts and posture, and encourage conversations to answer the following questions, among others, and follow up and ensure that they are addressed at the appropriate board level and in the organization's executive committee:
- Are we prioritizing appropriate cybersecurity technologies and capabilities?
- Are our technology priorities aligned with our cybersecurity capabilities?
- Are we investing in the right cybersecurity technologies and capabilities?
- Can we, and do we, accurately and confidently measure our risk appetite, provide transparency to regulators and executives?
- Do we have sufficient and appropriate talent not only to maintain current capabilities, but also to support future cyber maturity and expansions?
- Do we have the cyber resilience capabilities tested and secured against adverse cyber events?
It is clear that the organization will at some point have a successful cyber attack and that does not automatically make it responsible for the impacts, but it is its level of preparation and response capacity associated with its risk appetite statement, which allows assessing how well the board of directors is doing the supervision and assurance exercise, in the face of the declaration of due care and diligence against a risk that is changing and dynamic, which requires a permanent review and constant adjustments to maintain an operating threshold in line with the risk capacity that the company can withstand without losing its operating margin.
Therefore, each individual board member, as a way to protect and ensure their due diligence and due care in the supervision of cyber risk, should at least carry out the following activities and keep a record of them, without prejudice to the communications that are established for the collegiate decisions that are defined for the treatment and monitoring of the risks associated with cybersecurity:
- Regularly attend board meetings and participate in discussions
- Ask questions and ensure they understand the issues being discussed
- Review and approve all major decisions made by the board
- Keep abreast of the latest developments in corporate law and governance
- Seek legal advice if they have questions about their legal obligations as a director
Although the board member does not need to be an expert in cyber risk issues (though recently there has been a greater involvement of this type of profile on boards), it is important to recognize and analyze the scenario in which the organization operates and how its promise of value is affected in the digital context, as well as the evolution of the regulatory framework that defines its actions and that can generate tensions in the medium and long term with the implementation of innovative strategies that experience the limits of the regulations in a particular way, and with limited options for action.
Editor’s note: For more insights on this topic, read Jeimy’s2024 ISACA Journal article, volume 4,“Improving Cyberrisk Maturity, Governance, and Management in Boards of Directors.”