Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm
Publication Date: May 11, 2016 

Cyber security expert John Reed Stark recently shared with us guidance on managing corporate cyber risk. In this first in a series of articles on cyber security, John shares his philosophy on structuring effective cyber risk oversight in the board room.

Hardly a day goes by in legal and consultant circles when some expert somewhere is not opining on the need for corporate boards to bring a greater sense of urgency to address the growing business risk of cyber-attacks. Yet, even the most experienced commentators are underestimating the threat of cyber-attacks, and—even more importantly—overlooking a glaring history lesson that sits in plain view of public companies.

What is this conspicuous history lesson? Boards of directors formulating their cybersecurity oversight should look no further than the current board oversight paradigm for financial accounting and reporting. Boards should put in place the same governance procedures to oversee a corporation’s cybersecurity wellness that have proven effective and sufficiently flexible to assess and validate financial statement accuracy and reliability.

As cyber-attacks continue to proliferate, more and more corporate boards will come to realize that cybersecurity risks now actually trump financial accounting risks – and not just because technology and networks touch every aspect of an enterprise. The nature, extent and potential adverse impacts of these risks demand a proportionate response.

Consider the history of board oversight of financial accounting: As it became clear that corporate insiders were capable of engaging in misconduct, the active oversight and independent supervision over financial controls and governance structures similarly evolved, reducing the risk of financial fraud, fiscal misstatements and management malfeasance. Along those lines, the efficacy of using independent auditors, audit committees and management certifications to deter and minimize such insider misconduct became widely understood and embraced.

However, cyber threats can originate from both inside and outside corporate walls, resulting in a much broader risk profile that requires at least an equivalent if not greater board attention and focus. Indeed, when compared to the risks associated with internal financial malfeasance, deceit or neglect, suffering a cyber-attack can be far more severe in scope, far more cosmic in breadth and far more unpredictable in latitude.

For instance, after suffering a cyber-attack, a corporation must bear more than the substantial regulatory and litigation costs associated with potential privacy violations. Cyber-attacks involving the theft of intellectual property can result in a company’s immediate or even permanent loss of revenue and reputation; cyber-attacks involving denial of services (such as a website being shut down by nefarious hackers) can disrupt or forever diminish consumer or customer confidence; cyber-attacks involving exfiltration of private company emails can have a tumultuous impact upon senior management and create an international uproar; cyber-attacks involving destruction of technological infrastructure or damage to the integrity of a company’s data can require massive and costly remediation; cyber-attacks involving the theft of (and future trading upon) confidential information can damage the integrity of a company’s stock price and disrupt financial markets…and the list goes on.

Notwithstanding these potentially grave consequences; notwithstanding the fact that most experts now view cyber-attacks to be inevitable; and notwithstanding the pervasive nature of the risk, most corporate boards fail to allocate to cybersecurity the same level of oversight routinely afforded to the area of financial reporting.

This needs to change.

Just as occurred in the financial accounting realm, old and stale governance models must be modified and enhanced to address the very real, difficult to control and ever increasing enterprise threat of cyber-attacks. In practical terms, this means that, just as it does for financial reporting, every corporate board should:
  • Create a cybersecurity committee (just like its audit committee);
  • Engage an independent cybersecurity firm to conduct an annual cybersecurity audit (just like an independent accounting firm conducts and signs off on an annual financial audit); and
  • Add cybersecurity expertise and knowledge to the board (sitting right beside the board’s accounting and financial expert).
Following this recommendation will improve overall enterprise risk identification and management of cyber-related challenges and threats -- and fulfill the most fundamental duty of care that every director owes to the corporation, its shareholders and other stakeholders.

Historically, when it comes to their CFOs and the financial reporting function, the successful board paradigm has been one of vigorous and independent supervision, requiring the participation of independent third parties. The same should go for CTOs, CIOs and CISOs, and the maxim of trust but verify should be equally operative in both contexts.

Board members may soon have little choice but to take these steps, not merely to protect their companies but also to protect themselves. Given the current D&O litigation landscape relating to cybersecurity issues, cybersecurity breaches not only create regulatory and other legal liability for corporations but can also create personal liability for directors. For their failure to oversee cybersecurity with the requisite level of care amid the growing corporate risk of cyber-attacks, boards may be sued or reported by a whistleblower.

Boards should also understand that, just like financial accounting failures, when cyber-attacks are handled correctly and appropriately, the response not only strengthens a corporation’s infrastructure but also reinforces strong business ethics; fierce customer dedication; and steadfast corporate governance.

There is a terrific scene in Ron Howard’s 1995 film Apollo 13, which demonstrates this notion of successful failure so brilliantly. The film, which takes place in 1970, shows the trials and tribulations of the Apollo 13 crew, mission control, and families after a near fatal in-space accident cripples the space vehicle. NASA must devise a strategy to return Apollo 13 to Earth safely in the ultimate crisis management situation. Just before the most intense moment, when it remains unclear whether the astronauts would survive their desperate re-entry flight back to Earth, several senior NASA officials and spokesman are mulling over the impact of the accident. One of them states, “I know what the problems are. This could be the worst disaster NASA's ever experienced.” Ed Harris playing Gene Kranz, the famed NASA Apollo 13 flight director, overhears the misguided discussion and interrupts them, firmly declaring, “With all due respect, sir, I believe this is gonna be our finest hour.” It is a scene any corporate board member would find particularly compelling.

For boards contemplating their cybersecurity oversight, there is no need to reinvent the wheel. History provides an authoritative guide. By leveraging financial accounting governance lessons acquired over the past 70 years, and elevating cybersecurity oversight to the top of the risk food chain, boards can better protect their corporations from cyber-adversaries, better carry out their fiduciary responsibilities – and establish a leadership position in managing the emerging and dynamic risk of cyber-attacks.

John Reed Stark, President of John Reed Stark Consulting LLC, served for 15 years as an SEC enforcement attorney leading cyber-related projects, investigations and enforcement actions. He served for 11 years as Founder and Chief of the SEC Office of Internet Enforcement and for 15 years as an Adjunct Professor at Georgetown University Law School teaching a law and technology course.