Recent regulatory and market actions against the likes of Equifax and Facebook should stand as a huge wake-up call for governing boards of directors at large enterprises.
The fallout from Equifax's massive 2017 breach that lead to a landmark $600M consumer settlement and a downgrade by the Moody's credit reporting agency this summer had one big thing in common with Facebook's $5B penalty from the FCC for its deceptive third-party information sharing practices. Namely, lackluster cyber risk oversight by their boards of directors.
"The Equifax board ignored signals that its risk management capabilities were clearly inadequate," explained a recent report by The Santa Fe Group produced for Shared Assessments on the board's role in effectively managing risk. "Facebook misled its customers about the extent to which the company’s third parties could access and utilize their personal information."
The consequences to each organization offer dramatic examples of why boards must be more active about how they evaluate all the dimensions of cyber risk to their organizations.
"Company governing boards are the last line of defense in ensuring that critical risk management processes are fully functional within the organization," the report said.
According to a longitudinal study by Shared Assessments highlighted in the report, board involvement in cybersecurity risk management is strongly correlated with an organization's Third-Party Risk Management (TRPM) practice maturity. The higher the level of board involvement, the more mature organizations tend to be in assessing risk. Whereas 51% of organizations with a low level of board involvement tend to have very low TRPM maturity, only 18% of organizations with extremely involved boards exhibit similar ad hoc attitudes toward managing third-party risk. On the flip side, 57% of organizations with involved boards have advanced TRPM programs.
It's a virtuous cycle, and one which directors can stimulate with some key practices according to the experts from Santa Fe Group. Some of the most important include:
- Establishing a board risk committee: These directors should have a higher level of involvement overseeing enterprise risk management activities so they can report the most important details back to the full board. Ideally, the board should be working to nominate directors to the board with appropriate expertise in risk management in order to at least fill out the risk committee, if not the entire board.
- Designating a Chief Risk Officer: This executive leader can be the committee's direct line into the business, communicating risk findings to the committee at a regular cadence and helping direct action based on the strategies set by the board.
- Conducting board-directed assessments or reviews: Ideally these should be using a qualified outside expert to help evaluate risk management practices with an 'arms' length perspective' of the organization's cyber risk posture.
At the end of the day, it's up to the board to not only make sure that the organization's risk management strategies line up with business strategies, but also to get their hands dirty and regularly review all the different ways an organization monitors cyber risk. It's up to them to make sure that risk monitoring processes offer enough timely visibility to make sound business decisions. This means making sure that "risk reporting metrics are relevant, conducted at the right frequency, and communicated effectively among all stakeholders," explains the report.