I just co-authored with David Fontaine (CEO of Corporate Risk Holdings) a 10,000 word article on boards of directors and cybersecurity entitled, “Boards of Directors and Cybersecurity: Applying Lessons Learned From 70 Years of Financial Reporting Oversight.” This topic is ready for a new paradigm — which David and I discuss in detail. As we point out in the article:
“Hardly a day goes by in legal and consultant circles when some expert somewhere is not opining on the need for corporate boards to exercise some manner of cybersecurity oversight. While opinions vary, everyone seems to agree that corporate boards need to bring a greater sense of urgency to address the growing business risk of cyber-attacks.
Yet, even the most experienced commentators are underestimating the threat of cyber-attacks, and, even more importantly, are overlooking a glaring history lesson that sits in plain view. As a result, these expert recommendations are unfortunately missing their mark.
What is this conspicuous history lesson? Boards of directors formulating their cybersecurity oversight should look no further than the current board oversight paradigm for financial accounting and reporting. Boards should put in place the same governance procedures to oversee a corporation’s cybersecurity wellness that have proven effective and sufficiently flexible to assess and validate financial statement accuracy and reliability.
As cyber-attacks continue to proliferate, more and more corporate boards will come to realize that cybersecurity risks now actually trump financial accounting risks – and not just because technology and networks touch every aspect of an enterprise. The nature, extent and potential adverse impacts of these risks demand a proportionate response.
Consider the history of board oversight of financial accounting: As it became clear that corporate insiders were capable of engaging in misconduct, the active oversight and independent supervision over financial controls and governance structures similarly evolved, reducing the risk of financial fraud, fiscal misstatements and management malfeasance. Along those lines, the efficacy of using independent auditors, audit committees and management certifications to deter and minimize such insider misconduct became widely understood and embraced.
But threats to financial accounting transparency and accuracy are primarily insider driven. In contrast, cyber threats can originate from both inside and outside corporate walls, resulting in a much broader risk profile that requires at least an equivalent if not greater board attention and focus. Indeed, when compared to the risks associated with internal accounting fraud schemes, individual financial malfeasance and other instances of financial reporting deceit or neglect, suffering a cyber-attack can be far more severe in scope, far more cosmic in breadth and far more unpredictable in latitude. ”