Cybersecurity: an evolving governance challenge

February 2020

The increasing speed, miniaturization, and power of computing, as well as the connectivity of billions of devices, has led to deep change for even the most basic of industrial firms. “We are fast becoming a tech company,” said a director of one such enterprise. “If Amazon were to own our company, how would they reinvent us?” Technologies such as 3D printing, 5G communication, augmented reality, and artificial intelligence offer alluring opportunities to the leaders of large, global firms. At the same time, they introduce unprecedented risks, unlike almost any that boards have thus far encountered. The director continued, “It’s a different conversation in the boardroom than we have had in the past. A cyberattack could wipe out a significant amount of our enterprise value. The wrong hiccup could cause a ripple effect throughout our economy.”

On December 11, 2019, CRDN members met in New York to discuss how the boards of large, complex companies oversee the evolving threat of cyber malfeasance. Professor Steve Weber of the University of California, Berkeley, joined the discussion,
as did King & Spalding partners Scott Ferber, Zack Harmon, and Phyllis Sumner, along with Bill Phelps, executive vice president at Booz Allen Hamilton. 

Executive Summary
The conversation on the governance challenge posed by cyber threats focused on three themes: how the challenge differs from the familiar risks of the past, how boards are structuring their oversight of cybersecurity, and how boards and management are interacting on this crucial topic:

  • A new and different challenge for boards. Cyber threats are constantly evolving, and the motivations and actions of bad actors are extraordinarily difficult to understand and predict. Risk governance models that have worked well in the past for physical and financial assets are, for the most part, proving inadequate for cyber risk.

  • A wide variety of oversight structures. As cyber threats morph and grow, society is holding the boards of giant companies to account for failures to protect information assets and maintain privacy. Firms of the size and stature represented in the Cyber Risk Director Network often have highly sophisticated management systems for defending against cyberattacks and responding in a cyber crisis. But even in these firms, most boards are not satisfied that they have achieved mature practices for governance in this area.

  • Complex interactions between directors and management. In many companies, boards entrust the chief information security officer (CISO) with responsibility for cybersecurity. But technology is so pervasive, information so distributed, and cybercrime so fluid that reports from the CISO to the board are, at best, table stakes in cyber assurance. Directors say they need to create further checks and build trust not only with their CISOs but across executive ranks, and in some cases at deeper levels of management than is customary.