According to a report from the Diligent Institute, corporate board directors are facing difficulties in effectively managing the increased risk of cyberattacks. The report highlights that the rise of complex cyber threats, including ransomware, has challenged the traditional approach to corporate governance. Cybersecurity and business disruption are now considered the leading corporate risks. Unfortunately, the Diligent Institute's research reveals that only 9% of the average board has technical expertise in cyber security, and a staggering 50% of the surveyed companies have no technical expertise represented on the board.
Boards of directors are facing mounting pressure to ensure the sound governance of cybersecurity risk, yet often struggle to do so due to a lack of expertise. The research team at Alfahive recently conducted an analysis of board-level expertise by utilizing publicly available data from various sources, including McKinsey, Deloitte, the Wall Street Journal, and Ernst & Young. The analysis revealed that an alarming number of companies, up to 90%, do not have a single director with the necessary knowledge and experience in cybersecurity. This shortage of expertise at the board level creates significant challenges in effectively managing and mitigating cybersecurity risks. The findings of this analysis highlight the importance of having board members with a strong understanding of the evolving threat landscape and the technical knowledge required to address the complex cybersecurity challenges that companies face today.
The SEC is in the process of finalizing regulations aimed at boosting the transparency and expertise of boards of directors. The proposed regulations were put forth in March 2022 and are expected to become effective in April 2023. The new SEC rules will mandate increased public disclosure in the following key areas:
The new SEC regulations are designed to provide clarity and transparency in the area of cybersecurity, particularly with regard to the expertise of directors. This heightened transparency, achieved through the requirement of increased public disclosure, will give stakeholders, including shareholders and regulators, a clearer understanding of the level of competence of directors in this critical field.
It is important to note that while the regulations do not set minimum requirements for director expertise, they will nonetheless put boards under increased scrutiny. This highlights the need for boards to proactively evaluate and strengthen their knowledge and skills in cybersecurity, so they can effectively fulfill their duties and meet the expectations of stakeholders.
Given the rapidly evolving threat landscape in cybersecurity, boards have a significant challenge ahead of them to ensure their competence and expertise in this area. The new SEC regulations are a call to action for boards to take a proactive and comprehensive approach to enhance their cybersecurity governance.
In the past, it was mainly industries that were subject to regulations, such as banks, insurance companies, utilities, and critical national infrastructure entities, that placed a high priority on cybersecurity. However, recent years have seen a significant increase in cyberattacks, leading to a realization among many businesses that they too are vulnerable to these threats, regardless of whether they are considered high-value targets.
Retailers and manufacturers, in particular, have become more aware of the risks associated with digitization. With the shift to remote work and the rise of ransomware attacks, most companies now understand the dangers posed by their reliance on online channels for conducting business and interacting with employees.
According to a report by McKinsey, organizations are supposed to measure the business value at risk from any given cybersecurity incident. However, a significant number of companies struggle with this due to the lack of transparency and reliable models to quantify the business impact of such incidents. To overcome this, many organizations resort to a maturity-based approach. This approach involves using external benchmarks to assess the relative level of maturity of their cybersecurity controls. While this is a step up from not managing cybersecurity at all, it can sometimes lead to an incorrect incentive to simply invest in more controls, instead of focusing on the most impactful measures.
At Alfahive, we are firm in our belief that successful cybersecurity begins with a strong foundation in business and industry knowledge. Our approach to cyber risk management aligns with our clients' individual business operations, allowing them to comprehend, quantify, communicate, and make data-driven decisions that enhance cyber resilience. Our platform harnesses industry-specific data-driven models and cutting-edge machine learning technology to proactively identify a specific industry's cyber risks and quantify the financial exposure and probability of impact. This approach has two key advantages: first, the pre-training of the model with industry-specific information speeds up the time to value by over ten times; second, all business and technology stakeholders can communicate effectively in the common language of cyber risk in financial terms.
A report from IBM Security from the previous year discovered that organizations that practised their incident response plan experienced cost savings in the event of a breach, averaging at $2.66 million, compared to those who did not perform such testing.
The reaction of an organization in the face of a cyberattack can vary greatly depending on the level of preparedness it has demonstrated beforehand. Clear and effective communication is key, as having a unified understanding of how the incident is being addressed is critical. In this regard, the board plays a vital role in supporting the executive team by ensuring that everyone, both within and outside the organization, is informed and on the same page.
Alfahive’s platform helps organizations to understand the cyber risks in the context of the industry and prioritize security control improvements. This approach helps to bridge the gap between risk management and security, by providing a clear understanding of the risks that companies face, and by identifying the specific security controls that are needed to mitigate those risks.
We invite forward-looking organizations to take advantage of our free-of-charge two-week value discovery pilot with our platform and join us in our approach to making a lasting impact in the cyber risk management world.