The frequency and high profile nature of cybersecurity threats has gained the attention of corporate leadership, board directors, policymakers and the public. Federal and state regulators have heightened expectations for cybersecurity risk management at firms, including more active engagement by the Board of Directors. With all this increased regulatory and cyber threat activity, it’s clear that financial services company boards could benefit from gaining insights and learning best practices about how to deal head on with these important issues.
For example, recently the New York State Department of Financial Services released proposed cybersecurity regulations that would require the Chief Information Security Officer to report to the board at least bi-annually on a number of topics including cyber risks, the firm’s cybersecurity program and efforts to remediate inadequacies.
Legislators have also expressed their desire to ensure boards play an active role in cybersecurity. Last year, legislation was introduced in the U.S. Senate that would require public companies disclose the board’s cybersecurity expertise.
While board engagement in cyber risk management is not new for financial services firms, there remains a great deal of interest in identifying new and better ways of presenting information to the board and helping directors put cyber risks in context.
To assist in this endeavor, the Financial Services Roundtable’s cyber and technology policy division, BITS, conducted primary research and convened subject matter experts along with CIOs and CISOs to share insights and effective practices across the industry. The findings from this work, including an in-person discussion that took place this summer, are contained in a new white paper, Cybersecurity and the Board of Directors.
One issue of great importance highlighted in this new paper is the frequency and scope of communication with boards on cybersecurity matters. For instance, a best practice among many CIOs and CISOs is to provide quarterly briefings to the board, at least two of which are to the full board. Board reports may include:
- An executive summary covering items management is currently dealing with, regulatory or legislative activity and information security incidents;
- Outcomes of risk assessments and internal audits;
- An internal roadmap demonstrating progress against key cybersecurity goals; and
- An overview of cyber threats globally, nationally and across the industry.
The complex and changing regulatory environment, combined with the fast pace and adoption of new technologies like mobile platforms and use of the public cloud, have created challenges for CIOs and CISOs as they seek to demonstrate progress and identify key areas for board director focus.
Some firms have added board directors with technology or security expertise and created technology committees to better oversee cyber risk management. This is not the case for the majority of firms, however, which have instead sought ways to provide education and training for board directors by bringing in third party experts and conducting tailored education sessions.
Recently, the proliferation of overlapping cybersecurity frameworks and other regulatory requirements has complicated efforts to provide board directors with a thorough but succinct report on cyber risks. Most firms have adopted the NIST Cybersecurity Framework and are either working to incorporate newer frameworks like the FFIEC Cybersecurity Assessment Tool or to develop their own set of comprehensive metrics to measure progress.
With all of this rapidly-advancing change, one thing is for sure—cybersecurity matters, at the board level, are here to stay and will only grow in importance as companies work to keep their customers’ trust.
Learn more about areas of focus for board directors, tips for helping educate and inform the board and the use of frameworks and metrics here.