A few pioneering boards are “taking the bold step of forming a full-fledged committee focused on cybersecurity,” the WSJ Pro Cybersecurity newsletter reports (subscribe to the newsletter to read the article).
Motivating the trend, says the Journal:
1. The Securities and Exchange Commission’s guidance in February to provide more details on cybersecurity threats and risks has “prompted directors to question closely senior technology leaders at board meetings.” The Journal quotes James Lam, Chairman of the Risk Oversight Committee for the board of E*TRADE and Independent Director on the RiskLens board, saying that he wants to hear details about risk discussed in terms of potential losses. “If CISOs push back,” Lam says. “I find that unacceptable as a director.”
[Watch the video of James Lam’s keynote address to the recent FAIR Conference: A Risk Committee Chair’s View of ERM and Cybersecurity Oversight – free registration for FAIR Institute membership required.]
2. The need for better risk information for boards as organizations try to transform business models with artificial intelligence, blockchain and other new technologies. “Every business can and should reassess how do we transform that business,” The Journal quotes Jim Pflaging, chairman of a board-level cybersecurity committee at SailPoint Technologies Holdings. “Much fewer make the same leap to [determine] how to do it securely.”
According to the The Journal, General Motors is out in front of the trend, forming a cybersecurity committee in November, 2017, to oversee all cyber risk. In its two meetings reported in public documents, the GM committee reviewed the company’s top risks and approved a ransomware policy. Other major companies have expanded cyber responsibilities of traditional audit and risk committees of the board including Ford Motor Co. and CVS Health Corp. while FedEx Corp. assigns cyber risk policy to the board’s Information Technology Oversight committee.
Even without full-fledged board committees, thousands of leading thinkers in the security and risk professions are elevating the discussion of cyber risk to the board level by talking in terms of cyber risk quantification – and in particular using the standard FAIR model to break risk down into financial terms. Some 4,000 risk professionals have joined the FAIR Institute and many Fortune 1000 companies are implementing FAIR using the RiskLens platform to create enterprise-wide cyber risk quantification programs for risk management or for disclosure reporting to meet requirements of the SEC, EU GDPR or other regulators.
The Journal is clearly on to this trend. See these…
…and your organization should be too.
Contact Us to learn how RiskLens can help boards gain better oversight into cyber risk.