Cyber-Risk Oversight Is Evolving: Are Directors Ready?

Last year was yet another challenging one for organizations in terms of cybersecurity. Massive breaches, exponential growth in ransomware attacks, attacks targeting critical suppliers and vendors, and new vulnerabilities in ubiquitous software created heartburn for security teams and executive leadership.

On top of that, several recent announcements from US regulators suggest that corporate directors need to reexamine their cyber-risk oversight efforts in 2022. On Jan. 4, the Federal Trade Commission issued a warning that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Most executives had never heard of Log4j prior to December, when news emerged that a serious vulnerability threatened millions of products that rely on the common software.

Weeks later, US Securities and Exchange Commission (SEC) chair Gary Gensler delivered remarks at the annual Securities Regulation Institute placing cyber-risk oversight squarely on the shoulders of executives and directors. During the meeting, Gensler announced that SEC staff would be recommending new rules on mandatory cybersecurity disclosure by public companies, saying companies and investors alike would benefit from cybersecurity information “presented in a consistent, comparable, and decision-useful manner.”

These initiatives signal an important change in the expectations that regulators have of companies and their directors.

In the past, regulators sought assurance that companies were addressing cyber risk at senior levels. Over the last five years, we have witnessed incredible change in the way that companies have organized themselves to address cyber risk. These critical corporate governance initiatives—from ensuring that directors with cybersecurity or technology expertise are on the board to creating board-level committees responsible for cyber-risk oversight to developing reporting structures between the business and the board—have created an important foundation for many organizations to manage cyber risk.

But in many respects, these critical corporate governance initiatives are just the beginning of the journey. They establish the structure and framework for decisions to be made. Now, with incidents and breaches piling up, the focus is shifting to questions about security program performance and effectiveness. What should directors do to respond?

The next phase of cyber-risk oversight—Cyber-Risk Governance 2.0, if you will—will focus on the data itself. What data should be reported? What metrics should be analyzed? How does this data inform our decision-making? How do we assess our program’s effectiveness?

We are entering a new era of cyber-risk oversight, one that will be marked not by governance changes but by the integration and use of data, information, and metrics.

Effective Cyber-Risk Monitoring and Measurement

When developing or improving the ability to measure and oversee cyber risk, understanding an organization’s exposed assets and security performance are critical. Work from home due to the COVID-19 pandemic, increased dependence on mobile devices and applications, increased cloud and third-party reliance, and high-speed 5G connectivity have all dramatically expanded organizations’ attack surface—the volume of exposed assets that may be at risk of attack.

The expanding attack surface means that significant risks may exist in areas organizations have not historically considered. For example, a recent BitSight study into the security posture of organizations’ mobile applications found that 75 percent of mobile apps contain at least one moderate vulnerability. Few organizations address material and severe vulnerabilities once they’ve released their applications. This is highly risky behavior, and malicious actors are ready to take advantage of these lapses.

Organizations need visibility across their entire attack surface—from on-premises and cloud infrastructure to software as a service and mobile applications. Additionally, ongoing monitoring is essential in an ever-changing risk landscape. Tools that track security performance over time can help guide continuous improvement efforts. This type of insight gives decision-makers the ability to make security investments that deliver the highest impact over time and efficiently allocate resources to the most critical areas of cyber risk within their organization.

Armed with data and insights, corporate directors will be able to build upon their cybersecurity governance initiatives and confidently enter the next phase of risk oversight.

Jake Olcott is vice president of communications and government affairs at BitSight.