Boards Need to Prioritize Oversight of Mission-Critical and Cyber Risks
In the fall of 2021, NACD, with PwC, Sidley Austin, and the Center for Audit Quality, brought together risk and audit committee chairs from Fortune 500 companies to learn more about recent key Delaware Chancery Court decisions, explore gaps in board process and structure in relation to these cases, and examine the implications for board oversight of mission-critical risks.
They also discussed the board’s role in cybersecurity, the ways in which boards structure their cyber-risk oversight, and the reporting they receive from management about risk.
The Board’s Role in Mission-Critical Risk Oversight Is Evolving
When it comes to risk and oversight, the role of the director has been evolving, starting with the Caremark case 25 years ago—the outcome of which stated that boards have a duty to oversee corporate compliance with regulations. Over the past several years, the Delaware courts have made clear that boards need to focus more on overseeing mission-critical risks. In key cases, the board of an airplane manufacturer was sued by shareholders for failing to properly oversee airplane safety and the board of an ice cream manufacturer was sued for failing to properly oversee food safety. In both cases, the courts found that the boards had failed to have appropriate focus and processes, which may have helped to mitigate the events in question. In these cases, the courts found that the boards did not exercise sufficient oversight over what was happening inside the company—the boards did not implement adequate processes to ensure that they received critical information and did not satisfactorily address the risks of which they were aware.
So what does all of this mean for boards now? “The Delaware courts say that boards have a fiduciary obligation to focus on mission-critical risks,” said Dr. Paul E. Kalb, a partner at Sidley Austin. “Boards in highly regulated industries have a heightened duty to oversee mission-critical risk. . . . This will affect board structure, processes, and composition. Do these boards have the right structure and committees? The right processes? The right people on the board to interpret and act on data?” Boards will need to make all of these a priority. “There’s no question that our world is evolving, and we have to evolve with it,” added one delegate. “So the role of director needs to change to dig in more deeply as complexity continues to grow.”
Very few boards have specialized risk or compliance committees, according to Kalb, although they are more prevalent in some highly regulated Fortune 500 companies. He went on to say that while 84 percent of boards said they receive regulatory updates, only 31 percent receive regular reports from their chief compliance officer, and only 57 percent reported that risk reporting is easy to interpret. “So there is substantial room for improvement,” Kalb said.
The notion of holding boards fully responsible for overseeing risk was concerning to some delegates: “A lot of these problems happen at a level of detail that no level of board reporting could see. It can’t capture everything.” Kalb said that boards cannot know all details. “But if a board is doing what it’s supposed to in terms of structure and process, and if it properly acts on the information it receives, then it shouldn’t be held liable,” Kalb said. “[The aforementioned court] cases involved boards that either didn’t have committees or processes to address these issues or they ignored information.” Another delegate added, “If you can’t expect the board to understand all the technical details, they can hire someone external with the technical expertise. If they do this, they are performing their duty.”
While boards may lack some level of specific knowledge, they can still make sure that there is the appropriate tone at the top, review data and dashboards, and look for red flags. For instance, Kalb noted that in the court case regarding the airplane crashes, the board lacked focus on airplane safety and management didn’t report key issues to the board, which created a problem. “It’s surprising that [the airplane manufacturer] didn’t start a safety committee after the second crash,” added a delegate. “So we need to be on the lookout for red flags.”
Boards Need to Focus More on Cybersecurity as Ransomware Attacks Increase
The board’s role in cybersecurity oversight is also evolving and is more important than ever, especially as ransomware attacks and other security breaches rise in frequency and in material impact. As a result, boards need to address several questions, according to Barbara Berlin, managing director, Governance Insights Center, at PwC. “Is the company prepared for a ransomware attack or a security breach? Is there a plan in place if there is a breach? Does the company have the right experts identified? Does the board have the right oversight structure? Who at the board will be informed if there is a breach?” she said.
A committee chair who focuses on cybersecurity told the group that to be better prepared for cyber risks, boards should think about taking action in five areas:
Consider having a separate committee for cybersecurity. “One-hundred percent of Fortune 500 companies told the [US Securities and Exchange Commission (SEC)] that cybersecurity is a risk,” she said. “And 70 percent have cyber risk in the audit committee. Does the audit committee have the bandwidth for this?”
Consider the efficiency of how the organization looks at a threat landscape. Plot the types of cyber threats on a four-box grid and see which threats are in the quadrant with the highest probability. Then have the committee discuss each one. Next, create and track metrics and then overlay the data on the grid. Also consider working with ethical hackers and engaging in tabletop exercises to improve the board’s preparedness.
Consider having a ransomware policy. The SEC and other stakeholders will want to know whether the organization has such a policy if it is attacked. The policy should include information such as under which circumstances the company will negotiate payments, who will negotiate or facilitate such payments, business continuity plans, and data recovery plans. In some cases, the exercise of thinking through these variables will suffice to help a company prepare.
Consider getting an independent, objective advisor in the boardroom. A third party can conduct an investigation and incident response if the organization is attacked. Not only will they help a company identify potential issues, but they will also be more effective when an event occurs given that there will be operational familiarity between the board, management, and advisor.
Stay current on evolving technologies. When employees are working at home, devices such as smart TVs and smart speakers that have not been properly secured can open doors to the employee’s computer—and the company’s crown jewels.
Additional issues to consider. One delegate said that the company’s staff need to test the organization’s resiliency and its ability to recover from a ransomware attack in addition to conducting tabletop exercises. “Ask yourselves, ‘What is the biggest attack that we can recover from? Could we recover from a ransomware attack? Can we get back into our own systems after a breach?’” he said. “Often, we can’t.” Another delegate said organizations also need to ask themselves, “‘What third parties have access to us? How do we control those?’” Directors themselves can also be a target and therefore should communicate on dedicated lines for the best security, added one delegate. In addition, companies need to train employees on how to spot and avoid phishing scams, because, according to one delegate, 80 percent of ransomware attacks come from phishing.
Reporting. The board needs to have regular reporting on cybersecurity; they should meet with management to hear and document management’s thoughts on cyber risk, as well. One company has regular cybersecurity briefings with management, and its new chief information security officer (CISO) participates in audit committee meetings.
Berlin also suggested that boards receive a scorecard or dashboard from management with metrics for cyber risks. The scorecard’s information can align to key risks or the National Institute of Standards and Technology framework, for example, and can help the board understand whether progress is being made to address key risks. Two areas that delegates said they’ve been tracking are metrics on phishing attempts and how many known vulnerabilities have been patched in order to track the scope and scale of threats to the organization and the vulnerability and responsiveness of management.
Incident response plans. The group noted the importance of having an incident response plan to address a ransomware attack or another security breach to document a thought process and key decisions. “It is critical that the board oversee the company’s response and crisis plan and that management create and test the plan. A plan helps to take out some of the decisions that need to be made ahead of time, so you don’t have to think about it when you’re in the middle of an incident,” Berlin said. “And decision trees, such as when to report to the board and who will be notified at the board are good to discuss and agree now before an incident occurs.” The policy can be used as a road map but doesn’t need to be set in stone. “Our policy has tiers and questions and checklists and decision trees with criteria around specifics like payments,” said one delegate. “It’s a guide. We don’t view it as our final answer.”
Several delegates also advised that if a company is the target of a ransomware attack, it should not negotiate directly with the hackers. Instead, companies need to connect with the Federal Bureau of Investigation (FBI) and other agencies. “Have the professionals do this,” said one delegate. “They’re trained for it.” There are benefits to working with federal agencies if negotiation is needed. “They will say to go slow and will try to keep [the bad actors] talking,” said another delegate. “The FBI may find out who they are. So you don’t want to go too fast. It’s a difficult balancing act.”
Reviews. Berlin said she is also seeing more boards looking for third-party experts to review the company’s cyber program and risks in order to get an unfiltered view from management of what’s really happening. One delegate suggested conducting an external review every 12 to 18 months. “The CISO may not tell you that everything is falling apart,” he said. Delegates said their organizations have hired outside firms to review aspects of their cyber-risk programs through an organizational resiliency assessment, dashboard frameworks, and tabletop exercises. Another delegate recommended changing experts over time for external reviews instead of relying on just one.
Having the right board structure and composition to address mission-critical and cyber risk is important. However, debate still exists around what is the right mix of skills and expertise, as well as who should have oversight of these risks.
Boards Are Still Figuring Out the Right Level of Expertise and Oversight for Risk
Finding the right skills mix. Most directors come from business and finance, and expertise in mission-critical risk is not considered, but should be, given the recent Delaware court cases, according to delegates. “Only about 15 to 20 percent of boards may have members from nontraditional backgrounds, like tech, legal, and marketing,” one delegate said. Boards should consider having at least one member with expertise in an area of mission-critical risk who knows the right questions to ask.
Finding the right home for oversight. Which committee(s) would be best suited to address an organization’s mission-critical and cyber risks? The audit committee? A separate safety committee? A technology committee? A risk committee? Or should the whole board address these risks? “None of this is black and white,” said Kalb. While some delegates felt the audit committee was the best place, others felt that audit committees are already overextended and that other committees should address these issues.
Delegates suggested assigning oversight for these types of risks to a committee where experts already reside. “For example, if the audit committee has a [chief information officer], put cyber there,” a delegate said. Another delegate had a similar suggestion: “Every committee should focus on the biggest risk in its area, because that’s where the competency is. A separate risk committee dilutes the obligation for the executives,” he said. One delegate suggested creating a cybersecurity subcommittee within the audit committee. And in some cases, the whole board may want to pay attention to an organization’s most critical risks. “If it’s a mission-critical risk, including cyber, then the entire board needs to focus on it to know and understand it,” according to a delegate. “Ultimately, boards have to decide what makes sense for them,” said Berlin. “But directors also need to understand that shareholders, stakeholders, and the courts are watching.”
Editor’s note: The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes are not attributed to those individuals or their organizations, with the exception of cohosts.
This content was written by a team of NACD editors.