A new U.S. Securities and Exchange Commission (SEC) ruling known as Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure went into effect last fall. The ruling requires public companies to disclose whether their boards have members with cybersecurity expertise. Specifically, registrants must disclose whether the entire board, specific board members, or board committees are responsible for oversight of cyber risk. The process by which the board is informed about cyber risks and the frequency of discussions on this topic. and whether and how the board or specific board committees consider cyber risk as part of business strategy, risk management, and financial oversight.
“At its simplest, boards are busy with management, governance, and disclosure reporting,” explains Keri Pearlson, executive director of cybersecurity at the MIT Sloan Research Consortium (CAMS). “There's a lot to interpret, but this is for sure.”
It is also well understood that the likelihood of a hacking event increases and the cost to the enterprise increases exponentially. Despite recent efforts by businesses and governments around the world to strengthen cybersecurity, data breaches continue to increase each year. Data shows that data breaches will increase by 20% from 2022 to 2023. This is not surprising given the rapid uptake of digital work and digitization in general. As the SEC noted in a fact sheet accompanying the recent ruling, “the digitization of registrant operations, the increase in remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and We are increasingly relying on third-party service providers for information technology services, including cloud computing technologies.”
Cyber resilience: response and recovery
Mr. Pearlson's current research includes organizational, strategic, management, and leadership issues in cybersecurity. Her current focus is on the role of boards of directors in cybersecurity. January 2023 MIT Sloan Management Review In a paper titled “Action Plan for Cyber Resilience,” Pearlson and his co-authors wrote that board members should anticipate a potential cyber attack and help executives and managers prepare for response and recovery. It suggests that the government should play a monitoring role to ensure that adequate preparations are being made.
“Ultimately, given that all organizations are at high risk of being compromised or attacked, and that it is impossible to protect 100% from all attacks, the most reasonable approach is to It's about enabling the organization to recover with little or no damage to operations, financial returns, and the organization's reputation,” says Pearlson. To properly mitigate cyber risks, business leaders must have a solid plan in place to quickly respond and recover so the company can continue operating. We need cyber resilience.
Pearlson compares cyber resilience to the practice of Covid resilience. “We are taking steps like staying home, wearing masks and getting vaccinated to not only reduce our chances of contracting the coronavirus, but also the impact if we get sick. I did.”
In other words, the current protection-oriented approach most companies take to cyber is not enough. Protection only helps to alleviate problems that we know about. But cybercriminals are innovative and we don't know what we don't know. They seem to constantly find new ways to break into our systems. Pearlson talks about the need to be resilient and how that mindset comes from above. “Boards have long received reports on cybersecurity, but typically once a year, they are not focused on the data boards need to ensure the resilience of their companies. “We didn't,” Perlson said.
in May 2023 harvard business review In the article “Boards Are Having the Wrong Conversations About Cybersecurity,” Pearlson and co-author Lucia Milica typically talk about threats and the measures and techniques companies have in place to protect against them. They comment that typical cybersecurity presentations at board meetings are inadequate. “To us, that's the wrong perspective for board oversight. We know that no matter how much money we invest in technology and programs to thwart cyber-attacks, nothing can fully protect us. We know that spending resources to protect assets is important, but limiting the discussion to just protection is a recipe for disaster.”
Instead, the conversation should focus on resilience. For example, rather than having a board meeting detail how the organization will respond to an incident, members should discuss what the biggest risks are and how the organization can quickly recover from damage if that situation occurs. You need to focus on what you are ready to do. happen.
Assessing risk using a balanced scorecard approach
To this end, Pearlson has launched a board-level Cyber Resilience Balance Score designed to help boards and executives have more productive discussions and understand their organization's greatest risks to cyber resilience. Developed a card (BSCR). Inspired by Kaplan and Norton's Balanced Scorecard, a well-known tool for measuring organizational performance, Pearlson's BSCR divides these key risk areas into performance, technology, organizational activities (human resources and compliance). (requirements, etc.), maps the supply to his four quadrants of his chain. Each quadrant contains her three components.
- Quantitative progress indicators (red, yellow, green traffic lights).
- The biggest risk factor to organizational resilience, according to C-level leaders.and
- Qualitative action plan. C-level leaders share their plans to address this risk.
The scorecard helps guide board reporting and conversations about the focus areas that an organization should be concerned about in the event of a cyberattack, specifically technology, the financial and organizational aspects of the business, and the supply chain. Helpful. The idea is that quantitative measures should be established for each of these focus areas, although other quadrants may be needed depending on the company. By considering these indicators together in one framework, leaders can draw conclusions that they might otherwise miss.
“Establishing controls is nothing new, especially for publicly traded companies that have programs in place to measure and manage their cybersecurity investments,” Perlson says. “However, there are qualitative risks that are not recognized by these measurements. Typical controls measure the number of people who fail a phishing exercise, a key element of cybersecurity, but scorecards It also helps companies understand what they are at risk and what is being done about it.'' To learn more about scorecards, see this recent article. harvard business review article.
Provide necessary information to the Board of Directors
Most leaders understand that they are at risk of attack, but they don't know how to talk about it or how to respond. While it is easiest for cyber executives to report on technology metrics and organizational metrics, this information does not help the board in its job of ensuring cyber resiliency. “It's misinformation, at least initially, in conversations with the board,” Pearlson said.
Through Pearlson's research, cybersecurity leaders, directors, and other subject matter experts expressed interest in critical information about system assets, proactive capabilities, and how quickly they can recover. Some wanted a better understanding of what types of data their company held, where it was held, the potential for compromise, and the impact a breach would have on business operations. More than half of participants wanted to know the financial value of a breach or cyberattack against their organization.
Pearlson's BSCR places these risks in the context of specific areas or processes that are core to the business and addresses nuances such as “Is this an immediate risk or a long-term risk?” Helpful. Will the impact of compromising in this area be minimal or significant?
“The Cyber Resilience Balanced Scorecard is the starting point for discussions about how businesses continue to operate when an event occurs,” says Perlson. “Today, investing in protection alone is not enough. We need to focus on business resilience to cyber vulnerabilities and threats. We need a qualitative evaluation.”
Pearlson teaches two MIT Sloan Executive Education courses on building individual and organizational resilience.Cybersecurity Leadership for Non-Technical Executives, Designed for Non-Cyber Professionals Help participants deepen their knowledge through discussion. Cybersecurity Governance for Boards helps board members, executive leaders, and other senior leaders quickly gather the language and perspectives they need for cybersecurity strategy and risk management, allowing them to better fulfill their oversight and leadership responsibilities. We will support you to do so.
