How boards can amp up their oversight of cybersecurity


Emerging risks, regulatory scrutiny demand greater expertise


The reputational, financial, and, for some, legal and regulatory risks of cyber events have been on the agendas of boards for some time. But with the SEC expected to finalize new cybersecurity rules this spring, the topic becomes an even more important strategic and enterprise risk—one that boards must oversee.


John Pearce

“You want someone who has a specialization in cyber who can lend their expertise to understanding the unique risks involved.”

John Pearce

Grant Thornton Principal, Cybersecurity and Privacy

SEC to require board disclosures: The SEC’s proposed rules are designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting. A final rule is expected to be issued in this spring.


For companies in non-regulated industries, this will be the first time they face a cyber regulation. For directors, it means a requirement to periodically report on any cybersecurity expertise on the board and on the board’s risk management activities related to cybersecurity. According to the National Association of Corporate Directors, only about 6% of Russell 3000 companies report cybersecurity skills among board members.  





Finding cyber expertise to add to the board


While the boards of larger organizations and those in regulated industries may already have board-level cyber expertise on a technology committee or sub-committee, most are not in that position yet.  Those organizations face decisions on board structure and how they can meet the intent of the new regulation.


“The SEC views cybersecurity is one of their top potential risk areas for organizations. So just as boards have members who specialize in financial risk, you want someone who has a specialization in cyber who can lend their expertise to understanding the unique risks involved and provide oversight of management,” said John Pearce, Principal for Cyber Risk Advisory Services for Grant Thornton LLP.


But since there are no precise guidelines in the proposed rules, there is some ambiguity regarding qualifications for board-level cyber expertise. Depending on their approach to board size, membership and composition, boards look to add former CIOs, CISOs, or people who have worked in the technology or cyber space. 


“There is now an entire generation of cybersecurity leaders available to join boards,” said Max Kovalsky, Managing Director, Cybersecurity and Privacy for Grant Thornton. “Interestingly, headhunters are now offering their services to former IT and cyber executives who might want to fill these seats.”




Evolution of board oversight


Max Kovalsky

“Insurance does help cover some of the costs associated with a cyber event, but it is not a substitute for a cybersecurity program.”

Max Kovalsky

Grant Thornton Managing Director, Cybersecurity and Privacy

“Rewind the clock to a decade or so ago,” said Pearce, “and the board asked if there was a cyber program with preventive controls in place and if there had been any cyber incidents that needed to be reported. What they want to hear now is, ‘How are we managing the maturity of our program, how do we compare to our peer group, what are the risks we see to the business and what are we doing about it, what cyber events have happened and what were the residual risks.’ A board briefing that says there have been no events should almost serve as a red flag to board members.”


In helping the company reach maturity, leading boards will:

  • Set the tone for an organizational culture that is serious about cybersecurity. Effective cybersecurity processes and procedures can help gain the trust of both regulators and consumers. Leading boards realize that cyber risks do indeed occur. They want to hear about them and what management is doing to make the company better able to detect and respond.
  • Insist on comprehensive briefings that include a person independent of the technology stack at the company. They also want the CEO to be involved in the briefing.
  • Understand the value and limitations of cyber insurance. Leading boards don’t think about cyber insurance as a way to transfer risk. “The risk to consumer confidence and regulatory confidence, as well as potential reputational impacts, cannot be transferred,” Kovalsky said. “Insurance does help offset some of the costs associated with a cyber event but it is not a substitute for a cybersecurity program. Boards need to know all the controls and resilience programs are in place just to get cyber insurance at this point.”



Taking action through best practices


Actions boards can take to provide effective governance related to cybersecurity include:

  • Seek out opportunities to become more knowledgeable on cyber topics so they can ask informed questions. Engage an external independent adviser to educate the board and broaden members’ perspective beyond the company or the industry. Individual directors may want to obtain certification through the NACD’s cyber-risk oversight program.
  • Participate in the company’s cyber event simulation exercises to gain insight into preparation and the organization’s ability to respond and recover. “The number of exercises has gone up dramatically,” Kovalsky said. “We are seeing more boards participate in these exercises, playing their role to be briefed, advise, and endorse management decisions.”
  • Form a sub-committee to focus on cyber issues. Sub-committees create opportunity for members to take a deeper dive into the subject and inform the board in a valuable way, helping to ensure the company’s program fulfills the intent of regulations, and builds trust with customers, investors, employees, the community, and regulators.

Cyber threats are relentless, leading to ongoing risk to the enterprise. With the new rules on the horizon, now is the time for boards to renew their focus on cybersecurity.




Industry focus


Here’s what board members should know about cybersecurity in some key industries.


Asset Management: Cybersecurity can be a competitive differentiator for asset managers who are trying to distinguish themselves in a field of highly credentialed competitors. But “if you can tell clients, ‘Here’s how we’ve increased our controls, here’s the insurance policy we have with a well-known insurance company, and here’s how we test and document around the testing’…I think that is definitely going to be a differentiator,” said Michael Patanella, Grant Thornton’s National Managing Partner, Asset Management. To read more, see “Cybersecurity is a differentiator for asset management.”


Technology: Technology companies face cyber risk from many directions, as both providers and consumers. “The industry is taking a deeper look at the level of scrutiny — and the level of assurance — that they need to go through for the software they build and the software they buy,” said Steve Perkins, Grant Thornton’s National Managing Partner, Technology. To read more about cyber risk in the tech industry, see “How tech firms can form a cybersecurity tripod”.


Healthcare: The healthcare industry has always been a highly attractive target for cyber-attack due to the sensitive personal information in their possession. In the United States last year, the industry experienced 1,410 attacks per week, an 86% increase from 2021 putting patient safety at risk. Board members of healthcare organizations, from hospitals to medical device manufacturers, will want to understand the organization’s cybersecurity capabilities and provide the necessary resourcing to meet their needs. Read more about  "Cyber resilience beyond BCM".






More advisory insights