How Boards Can Step Up Their Cybersecurity Oversight

Since the Internet became a ubiquitous tool and platform, a steady increase in cybersecurity incidents exposed all companies to a widening range of risks. It is not just shareholders who blame and take management and boards to court for risk oversight and communication lapses around incidents such as at cloud-based software provider Okta. Around the world, regulators are also starting to crack down on lax cybersecurity and data privacy practices. Meta's record fine handed down by the European Union (EU) to the tune of $1.3 billion should serve as a warning sign that no company or board should use the "move fast and break things" approach for risk management.

A look at the latest incidents illustrates which processes failed. More importantly, these breaches and lawsuits around cybersecurity, data privacy, and the use of technology in general also hold important lessons for every board.

Cybersecurity and Data Protection: From Nuisance to Strategic Advantage

In the United States many companies enjoy the freedom of limited data privacy and cybersecurity regulations. Data protection is largely left to the market. At best, this absence of strong laws is a competitive advantage compared to other geographies. On the flipside, arbitration agreements and data privacy policies shield companies from their customers. At the same time, strategic initiatives at larger companies and fast-moving start-ups have always treated privacy and security as add-ons or, even worse, as barriers to reaching their goals.

Changing this stance in the tech industry and the wider economy requires a shift in how we see the issue. While security-first strategies and initiatives can drive the conversation about risk, they often require a long-term change in reporting to produce value. Additionally, they often demand a certain amount of predicting the future, which can be a risk factor in and of itself. The case of Meta illustrates the issue. The company incorrectly assumed that the EU would not take enforcement actions over transferring European customer data stateside on the eve of completing a new privacy agreement with the United States.

An Asset-Based Strategy

In contrast, an asset-based strategy is less common today but provides tremendous value to management, boards, and possibly shareholders. An asset-based strategy starts with inventorying all data, services, servers, and digital processes the company owns and utilizes. These digital assets must be cared for and maintained like physical assets. Consequently, management needs to determine each asset's maintenance requirements, deprecation, current risks, and future risks, as well as any required skills, budget, and technology. The board, in turn, executes its oversight function over the risk analysis and associated risk management strategies. Crucial to surviving and thriving in a fast-changing world, considering assets, then current risk, then future risks sets the board on a more gradual learning curve and offers the opportunity to put threats in relation to the current situation.

Asset-based strategies often help chief information security officers, chief information officers, and CEOs propose less media-driven, more evolutionary strategies. While artificial intelligence, the metaverse, and quantum computing continue to upend the world, they have only amplified or enhanced the nature of most attacks, not fundamentally changed them.

Lastly, understanding a company's current ability and changing needs can help with cross-department initiatives and shareholder communication. If nothing else, it assists the marketing team in staying truthful in its messaging, lets human resources focus on the right talent, and helps shareholders understand the value of a company’s digital assets.

A Holistic View of the World

Whether we look at the EU's GDPR actions, India's changing stance, or the data breach laws in Australia, most parts of the world follow their own regulatory approach. The fact that tech giants such as Amazon.com and Clearview AI as well as non-tech companies such as Marriott International and H&M face regulatory scrutiny and fines demonstrates that boards must act. They can no longer ignore the risks that the Internet and worldwide networks of subsidiaries impose on multinational companies. Global conflict only makes these issues more pressing.

Often, the problems were obvious to regional managers, but that information didn't make it into the management risk assessments or to the risk committees. For a global company with global ambitions and strategies, its risk reports and reviews must also reflect a global approach. Diversifying the ranks of reporting managers with leaders from around the world can help the board broaden its view of the overall company and its potential exposure.

Likewise, asking chief experience officers about their engagement with all subsidiaries helps to heighten awareness of global differences among top-level executives.

The Need for a Technology Committee and Advisory Boards 

For many boards, the number of tasks and issues to consider continues to increase. This increase is felt especially in audit and risk committees, which often take on technology oversight in addition to their traditional roles. At the same time, most boards have no or one member with a technology background.

A board of advisors is a great tool to reduce the workload and act as an interface to advise management on operational issues and the board on strategic questions. It also allows the one member with technology expertise to gather insights and feedback without updating the whole board on the ins and outs of technology and cybersecurity developments.

What’s more, a board of advisors is a good way to include overseas advisors who can offer valuable insights into worldwide developments but don't have the experience needed to oversee a US company. And finally, it provides an opportunity to develop people who are not yet ready for the full board into candidates the nomination committee would consider down the road.

Don't Delay—Risk Doesn't

If cybersecurity and data privacy incidents from the last few quarters can teach us one thing, it is that regulators and adversaries don't wait for boards to establish oversight. Meta thought it could outwait the EU-US negotiations on privacy. Clearview thought Australian privacy law wouldn't become an issue anytime soon. Marriott didn't anticipate a large data breach that may have impacted up to 339 million guests.

Delaying only plays into the hands of bad actors and invites more costly incidents. If we don't act now and take risk oversight seriously at the board level, it might be too late. Surely nobody wants their company to become another footnote in the history of devastating data breaches.