Organizations in the financial sector are seeking to create new digital customer experiences by applying sophisticated data analytics, and investing in a wealth of other technology innovations. Cybersecurity is emerging as a top concern for the boards of these firms and showing that cyberrisk management clearly requires governance at the highest levels.
Though many boards are working to integrate cybersecurity resilience into their overall risk efforts, they have not yet learned to measure these risks consistently and to maximize value for money. Boards therefore need practical new approaches to set their risk tolerance for cybersecurity and to guide management’s resourcing and spending so that they can address the consistent and persistent risks inherent in this area.
Boards can take their cues from more advanced firms starting to adopt a cybersecurity and technology risk-management strategy informed by business operations. These firms are giving their boards new views of information to help them assess cyberrisks against the risk tolerance of the enterprise and ensuring that board members have the knowledge to oversee these activities.
Here are some of the moves organisations should take to catch up with mature firms in Cyberrisk management.
An evolving and increasing role for the board
The board should ask themselves the following questions in these three areas:
- Oversight. What is the nature of board oversight of cyberrisks—including which committees are responsible, who serves on them, and how often do they meet?
- Structure. Are boards forming technology committees with a mandate that includes cyber oversight and, if they have, what is their structure and charter?
- Awareness and understanding. How are boards becoming more aware of these risks, understanding them better, and increasing their skills and expertise?
- Oversight: More frequent and intense
Board committees of financial firms should discuss cyberrisks and tech risks atleast 3-4 times or more a year. Its recommended that firms hold optional deep-dive sessions the week before each quarter’s board meeting. These sessions should cover relevant topics, such as updates on the current intelligence on threats, case studies of recent breaches that could affect the company or others in the industry, and the impact of regulatory changes.
More frequent and consistent communication between board members and senior management on Cybersecurity enables boards to understand the financial, operational, and technological implications of emerging cybersecurity threats for the business and to guide its direction accordingly.
Firms should increasingly recruit experts for the committees and have at least one board director with expertise in cybersecurity, technology risk, or both. These directors could include senior executives of top technology companies and executives with defense or intelligence backgrounds.
- Structure: Appointing a specialized technology committee
Risk and audit committees are the primary overseers of these risks, but firms should have a technology committee to oversee cybersecurity as well. A desire for better cyberrisk oversight is part of the reason for the creation of such committees—but not the only reason. The areas covered in their charters should include these:
- integrating the oversight of cyberrisk and resilience with technology and operational resilience, including business continuity
- applying an expert focus to strategic technology choices, innovation, transformation initiatives, and investments
- better managing regulatory concerns and requests in these areas
- Awareness and understanding
Firms should integrate cybersecurity and operational resilience in reports to the board to feed the awareness and attention of boards to cybersecurity risks. The types and number of metrics firms use to report to their boards on cyberrisk should correlate with the size of the firm.
Firms should report a standard set of key risk or performance indicators relevant to them and indicate their level of resilience in the context of their business and industry risk exposure. Firms can focus on technical metrics, such as malware detections or use a rotating set, depending on the topic under discussion.
Firms will see value in keeping the board regularly aware of the ongoing risks by providing them with updates at least annually. These can be led by the board committees responsible or by the chief information-security officer. Organisations should conduct regular “tabletop” or walkthrough cybersecurity exercises with the board to raise awareness and knowledge, these simulations enable their boards to understand the business risks of specific cybersecurity crises and their ability to respond. The timing of cybersecurity crises may be unpredictable, but most of them evolve in predictable ways. The first responses shape much of the outcome. Getting the early steps right is the heart of efforts to emerge stronger.
Advanced boards: A more integrated cybersecurity strategy
Boards of mature organisations are shifting their role on cybersecurity by actively trying to understand the cyberrisks to their companies and helping to set the direction on risk and investment strategy. The boards involvement is informed by a rising number of cyberrisk breaches making headlines, regulators who increasingly hold companies accountable for addressing gaps in their cybersecurity resilience, and the increase in the level of cybersecurity and technology investment. Boards looking for direction can take cues from those that have already begun to pursue a cybersecurity and technology risk-management strategy integrated with business operations.
These strategies have three major elements.
- Integrating cybersecurity and technology risks with operational risk and resilience
Advanced boards are focusing on the digital transformation of their companies and integrating cybersecurity into their technology strategies, including the oversight of technology investments, digital-transformation programs, and the development of differentiated customer experiences.
They are also separating cyberthreats from cyberrisks. Cyberthreats are technical cybersecurity exploits, such as privilege escalation, vulnerability exploitation, or phishing. Cyberrisks are potential threats to the enterprise as a result of a loss of confidentiality, integrity, and the availability of digital assets.
- Giving the board the right tools to assess cybersecurity and technology risks
Advanced firms in this area implement a common risk terminology to measure their cybersecurity resilience and maximize the reduction of risk at different levels of investment. They are also pioneering an effective, efficient approach to reporting cyberrisks to their boards and thus allowing directors to determine which risks are within tolerances, which are not, and why. Because of this understanding of cyberrisks, mature firms are determining their tolerance for them and then steering cyberinvestment decisions to optimize the risk-reduction impact.
Mature firms are also streamlining their metrics and linking KPIs and key risk indicators (KRIs) by implementing metrics that measure both inputs and outputs. Inputs are a company’s risk-reduction efforts, and outputs are the resulting reduction in enterprise risk.
- Ensuring that the board has the necessary knowledge and skill
Leading firms ensure that boards know about cybersecurity and tech risks in the business context, their potential impact, and how the leadership is addressing them. Such firms update the board on these issues at least quarterly, with additional awareness and education sessions as needed. They use simulations and tabletop exercises to prepare the board and test the ability of the senior leadership to respond to a major cyberincident: for example, they will simulate a cybersecurity-related crisis, such as a ransomware demand that may expose customer data. Such simulations help senior executives become better prepared to make high-stakes decisions under pressure, and the board gains a deeper understanding of the firm’s capabilities. The insights generated by the simulation help refine the crisis-response playbook and build the type of “muscle memory” required to make appropriate decisions in real time with limited information.