Five years ago, social media was perceived by many to be a passing fad. Then came the introduction of tablets and mobile devices. Now, cyber security has emerged as one of the greatest threats facing Anglo-American corporations. It is front and centre in the minds of directors, or should be.
In the area of technology, are boards fulfilling their duty of care in overseeing management and protecting shareholders' investment? Indicators are that many boards and directors may not be. Plaintiffs' lawyers are suing companies and their boards over technology failure. Here are some recent statistics and trends:
• "Our entire lives are on the internet," according to FBI Director, James Comey, adding "The internet is the most dangerous parking lot imaginable";
• "Social media is the number one activity on the web," according to Belle Beth Cooper in a Huffington Post article;
• The average user picks up their device 1,500 times a week, and reaches for it at 7:31am each morning, according to MailOnline;
• The average smartphone owner uses his or her smartphone for three hours, sixteen minutes, each day;
• Cybercrime constitutes the "greatest transfer or wealth in history," according to the National Security Agency's General Keith Alexander;
• Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies;
• Only 13% of companies have BYOD (bring your own device) policies, according to a 2014 report by Ernst and Young;
• Fewer than 50% of companies use encryption techniques for devices;
• 38% of companies do not address cloud risks;
• "Only 56% of companies conduct penetration tests, and 19% fail to test at all," according to an Ernst and Young report;
• Less than one-third of boards are addressing risk management in relation to IT operations or computer and information security, according to a 2012 report from Carnegie Mellon; and
• "Most policies currently in place," "are too weak to reasonably ensure that systems are not breached," according to a 2014 NACD (National Association of Corporate Directors) report.
What should boards of directors be doing to exercise their duty of care over technology risk, including social media, BYOD, and cyber security?
1. "You have to own this problem as a leader," in the words of Admiral Michael Rogers, Director of the National Security Agency. You do not need to be an expert in technology as a director, but you now need to be literate and informed. If you are not, then get educated. Request a glossary of acronyms from management as a start. There are several leading standards and frameworks from which to learn, including the National Institute for Standards and Technology; ISO/IEC 27032 Guidelines for Cybersecurity; the SANS Institute for Critical Security Controls; and the IoD and NACD in London and Washington. If your board lacks information technology expertise, consider putting this on your competency matrix for director recruitment. If you are in a key industry such as financial services, retail, utilities, defense or health care, technology should be represented at the boardroom table. If much of your company's business model resides on the Internet, consider having a separate technology and strategy committee.
2. Examine your committee structure. If your audit committee oversees the substance of all risk oversight, you may be at risk if committee members lack recent and relevant information technology and risk expertise, or are overworked. All material business risks, financial and non-financial, should be covered off and mapped to one or more board committees, and these risks should be made explicit within committee charters and board guidelines, including technology, reputation, operations, and heath and security risk. The audit committee is not necessarily qualified to oversee non-financial risks, including terrorism.
3. See technology risk as a broader enterprise risk, and as a strategic and business imperative, not a narrow technology issue. Regulators should be requiring your board to approve the risk appetite framework, which includes explicit internal controls, assurance, reporting, and limitations. Ask management to see the real-time, prospective internal controls over technology risk, in writing. This is where many companies are weak, and if you are, you should see this gap and ensure it is remedied as a director. This is not micromanagement, but good oversight.
4. Understand and demand information on the internal controls over social media, BYOD and cyber crime. This will facilitate a learning curve to question management, including over training, education, acceptable use, mobile device management, risk and control assessment, situational awareness, threat and vulnerability risk management, and cyber security incident management and governance. Does management show you internal control results over each material risk, including their interactions, and how each risk is identified, controlled and assured? Are you satisfied? Do you have a good dashboard? Does risk culture support cyber security? (Human error and carelessness are big risks.) A recent NACD survey showed a quarter to a third of directors were unsatisfied with the quality and quantity of IT information.
5. Obtain third party assurance if you have any doubt about how technology risk is being mitigated, or of the strength of the technology and assurance bench. Are you satisfied with the IT, risk management, and internal audit bench strength? These are your eyes and ears. You may need to direct changes and resources. Do you have the power, within your board and committee charters, to request an independent audit of technology risk? Do you exercise this responsibility? If you are blocked by management, this is a red flag. Do you meet separately with risk, compliance and audit to assure cyber security risk?
6. Information technology risk, compliance and auditing should functionally report to you as a board or committee, not senior or operating management. Senior management should no longer own the risk function. The chief risk officer, the chief compliance officer, and the chief audit executive, should now be independent and report functionally to the board and its committees, not senior management such as the CEO or CFO. This means that the work-plan, independence, resources, reporting, compensation and succession of these three functions (risk, compliance and audit) are now recommended by committees and decided by directors, not management. Do you practice the foregoing? If not, you could be the last to know for a major technology breach and the resulting reputational and financial loss. Experts will scrutinize how you directed reporting and assurance.
7. Management may be adverse to spending what is needed, and the imposition of internal controls over technology, including those that are reputation or behavour-based. This is why risk oversight rests with the board. Your job is to understand, identify, and oversee, not to manage. The budget, talent, resources, reporting, assurance and disclosure of enterprise risk mitigation, including technology, should rest with you. Information, documentation and informed, best practice and precise questions are your management influence and oversight touch-points.
8. Become engaged. If you have one or more laggard directors who resist technology or keeping current, these intransigent directors are compromising the governance of the company and should be addressed or replaced, especially if they are on or chair key committees. Good boardrooms are now paperless, and good directors use devices and social media with acumen.
9. Have technology stress testing. Do you direct management to implement and report on scenario testing and mock exercises over social media attacks and cyber breaches? When it happens, it is too late.
10. Most of all, protect your company's crown jewels. Think like a hacker. Protect the perimeter, but once inside, are your company's valuable assets still protected? How? Agree on a platform and framework and direct management to have an action plan and target date for full implementation.
Richard Leblanc is a governance lawyer, academic, speaker and independent advisor to leading boards of directors. He can be reached at firstname.lastname@example.org or followed on Twitter @drrleblanc.Suggest a correction