How Boards Can Be Better Prepared to Lead on Cyber ​​Risk

When a security/cybersecurity breach occurs in an organization, it is not the Chief Security Officer/Cyber ​​Security Officer (who we can identify today, among others, as the Chief Information Security Officer, Business Information Security Officer, Chief Trust Officer) who steps out to face the media and inform the public of the facts, but a spokesperson or a senior executive who takes up the challenge of conveying the details of the adverse event, its effects and how the organization acted to resolve the situation. In this sense, the responsibility is not executive, but directive and political, residing in the board, which will be assessed in its work of overseeing cyber risk and how its decisions could or could not have influenced the outcome of the possible security breach that materialized in the company.

During this time, board members are questioned about their fiduciary duties and possible breaches of due diligence that may generate sanctions or legal implications in their role as administrator or representative of the company to shareholders. Therefore, each board member should be appropriately informed about the company’s cybersecurity activities and posture and encourage discussions to answer the following questions, among others, and to continue and ensure that they are discussed at the appropriate board level and in the executive committee of the organization:

• Are we prioritizing the right cybersecurity technologies and capabilities?
• Do our technology priorities align with our cybersecurity capabilities?
• Are we investing in the right cybersecurity technologies and capabilities?
• Can we accurately and confidently measure our risk appetite, providing transparency to regulators and executives?
• Do we have enough of the right talent to not only sustain current capabilities, but also support future cyber maturity and expansion?
• Do we have tested and secured cyber resilience in the event of adverse cyber events?

It is clear that an organization will at some point fall victim to a successful cyberattack, which does not automatically make it liable for its consequences, but it is its level of preparedness and responsiveness linked to the risk appetite statement that allows us to assess how well management is exercising oversight and quality assurance in light of the due diligence statement and due diligence in the face of risks that are changing and dynamic, requiring constant review and continuous adjustments to maintain an operating threshold in line with the risk-taking capacity that the company can withstand without losing operating margin.

Therefore, each board member, in order to protect and ensure due diligence and prudence in the oversight of cyber risks, should at least perform the following activities and keep records of them, without prejudice to the communications established for the purpose of making collegial decisions on the treatment and monitoring of cybersecurity risks:

• Regularly attend board meetings and participate in discussions
• Ask questions and make sure they understand the issues being discussed
• Review and approve all major decisions made by the board
• Stay up to date with the latest developments in corporate law and governance
• If you have any questions regarding the legal obligations of a director, please seek legal advice.

While a board member does not need to be a cyber threat expert (although there has been a recent increase in the number of such profiles on boards), it is important to recognize and analyze the scenario in which the organization operates and how its value promise is affected by the digital context, as well as the evolution of the regulatory framework that defines its operations, which may generate tensions in the medium and long term regarding the implementation of innovative strategies that are particularly affected by regulatory constraints and limited options for action.

Editor’s Note: To learn more about this, read Jeimy’s article2024 ISACA Magazine article, volume 4,“Improving the maturity, corporate governance and management of cyber risk in supervisory boards.”