5 Steps for the Boardroom Community to Address Heightened Privacy and Cyber Risk Oversight
By the Nasdaq Center for Board Excellence ‘Risk & Cyber Oversight’ Insights Council: Dominique Shelton Leipzig, Chris Hetner, Steve Roycroft, and Raj De
This is the second blog post of a two-part series that shares tactics for boards to address cyber issues. Read part one: Resilience Requires a Modern Path to Board-Level Cyber, Privacy and Data Risk Governance.
In the current environment of looming (but not yet finalized) legal requirements for Cybersecurity, U.S. shareholder derivative litigation risks, heightened global criminal and geopolitical cyber risks and global regulatory director guidance, boards may consider the following five steps to anticipate privacy and cyber issues:
Step 1: Ensure that adequate privacy and cyber competence exists in the boardroom either through board appointments or third-party advisors. Boards should ensure that they have cybersecurity and privacy expertise in the boardroom. If a board does not have board members with privacy and cybersecurity experience, it should consider following the recommendations of the SEC and N.Y. Department of Financial Services (DFS) to retain third party advisors to support the board. As the N.Y. DFS said in its proposed amendments, “The board or an appropriate committee of the board shall have sufficient expertise and knowledge or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cyber risk and a committee or subcommittee assigned responsibility for cybersecurity.”
Step 2: Execute a board-level strategy for data risk governance and resilience. Leadership should determine which data may advance the company’s success, and conversely, which is extraneous. The board will want to know whether management has created a plan for the secure storage and sharing of data. Failure to do so may lead companies to run afoul of regulatory expectations in the U.S. and the EU. It is important for boards to consider how to balance strategic goals with increasing investor expectations around tracking metrics, such as those relating to environmental, social and governance (ESG) and human capital management matters and consumer expectations relating to resilience and personal data privacy.
Companies may not realize that proxy companies like Institutional Shareholder Services Group (ISS) are already rating companies on their cyber and privacy maturity. One way to achieve this is for the company to consider what data it needs to effectuate its strategic plan and goals. Data that is not crucial to the mission could be eliminated to lower risks. On the other hand, data that is necessary to effectuate business goals should be identified, treated and protected in a manner that is consistent with ESG governance expectations. Policies that are aligned with data privacy and maintaining resilience from cybersecurity threats should be consistent with a company’s brand. For example, if a company is known for trust, its digital DNA should reflect that. At the board level, policies are necessary to ensure that data is evaluated like any other asset of the company and that privacy/cybersecurity–focused questions are developed to demonstrate oversight of management.
Step 3: Contextualize cyber risk to financial exposure. Cybersecurity and data privacy should be integrated into a company-wide enterprise risk management (ERM) strategy to enhance overall growth. While cyber threats are reaching new levels of sophistication, only 17% of companies say they delivered meaningful cyber risk metrics to the executive teams and boardroom, according to a 2021 World Economic Forum (WEF) report. The WEF report acknowledged that boards need “diverse sources” of cybersecurity expertise, and that boards should “seek out third-party advisers and assessors – who report to the board regularly – to ensure effective oversight of management.”
Boards should be educated about the degree to which their company is exposed to various forms of digital risks, as well as potential business and financial impacts. Some useful tools that management may use to manage risks and report metrics to the board include the National Association of Corporate Directors Cyber Risk-Reporting Service, which includes key risk indicators (KRIs) that measure material financial risk exposure to cyber threats impacting the organization. These types of reports should be provided to boards by management of the KRIs impacting the company and its industry.
Boards may consider grounding discussions of cybersecurity and data privacy through the consequential financial and company impacts connected with each risk type. This helps connect the assessment of privacy and cyber risk to strategy and balance sheet stress. In some cases, Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) tend to rely on periodic tactical and technical reports to justify tech solutions that may only suppress risk. This may get “lost in translation” when engaging board members and the wider C-suite, leaving leadership unsure of what they are funding and where gaps remain. Boards care about what the issue is (i.e., privacy and data security) and how this will impact the company. Grounding the discussion in quantifiable risks is a critical first step to maximize opportunities.
Step 4: Ensure the board is educated enough to meaningfully participate in data strategy. Taking a “what we don’t know can’t hurt us” approach to digital strategy is no longer an option. According to a Deloitte report, 41% of C-suite executives feel their board provides sufficient technology oversight. Meanwhile, two-thirds of board members indicated that education on the latest digital innovations would effectively improve their ability to provide oversight. Other imperatives include elevating leaders proficient in data issues to the board, and bringing in experts, counsel and vendors to educate the board on a quarterly basis.
It is critical for the board to understand the possible threats facing the company. Boards and C-level management should consider focusing on improved situational awareness with visibility into emerging risks and threats so they can proactively manage and mitigate potential issues. Boards also need more efficient access to strategic cyber intelligence and expertise, resulting in time saved as well as the ability to redeploy resources associated with managing enterprise risk. Finally, boards may zero in on better risk management outcomes – risk mitigation may become a sustainable point of differentiation for a company.
Step 5: Look at the big picture. Technological innovation is bringing about a Fourth Industrial Revolution. By leveraging data effectively, companies can be disrupters rather than be the disrupted. As the world recovers from the coronavirus pandemic, forward-looking companies may utilize data to mitigate weaknesses and identify areas for investment. Boards may take advantage of this moment of global transformation to help reposition their brands as industry leaders in digitalization.
We are generating 2.5 quintillion bytes of data per day globally. Too often companies are blindsided by developments with data. It is important for companies to get their arms around the issue of privacy and see around corners so they can anticipate new issues like algorithmic bias, data privacy, digital finance and so much more that goes along with data innovation. The board’s leadership on data privacy and cybersecurity is a critical component to company oversight. A proactive approach on those issues is key to advancing excellence in the boardroom and beyond.
The overriding principle for any board overseeing data privacy is that it should be approached as an enterprise risk management issue, rather than a technology problem for the information technology team to handle. The administration of data risks is just one element of the company’s risk management and watching over such risks should be part of the board’s oversight of the execution and performance of the company’s ERM program. Accordingly, while directors may not understand all the technological details surrounding data protection systems and processes, it is still important for the board to be comfortable with management effectively addressing the company’s data risks.
To fulfill its duty of care with respect to overseeing the company’s data risks—and to be able to demonstrate it has fulfilled this duty—the board should ask thoughtful and strategic questions to understand how management is processing digitalization and data privacy and to ensure that it is comfortable, that the protocols in place or being taken in this regard are sufficient and appropriate. Asking questions and exercising good judgment helps directors successfully oversee the data risks facing the company and the company’s plan to mitigate and respond confidently to those risks.
About the Authors: Dominique Shelton Leipzig, Partner of Cybersecurity & Data Privacy and Leader of Global Data Innovation at Mayer Brown; Chris Hetner, Senior Executive, Board Director, Leader in Cybersecurity, and Former SEC Chair Senior Cybersecurity Advisor; Steve Roycroft, CEO of RANE Network; Rajesh De, Partner and Chair of Cybersecurity & Data Privacy at Mayer Brown; The authors also thank Dani Poloner, Intern at Mayer Brown, for his contributions.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
For more leadership insights and resources, join the Nasdaq Center for Board Excellence, a community and collaboration environment in which board engagement is deepened and experiences are shared. Sign up today!