This article from Forbes talks about cyber risk oversight, a core tenant of a board's fiduciary duty
Media mention
Forbes: What Is A Cyber Fiduciary? How To Advance Cyber Risk Oversight And Management
A fiduciary is a person or entity who has a responsibility to inform and act in good faith toward another party, such as a company, director or a client. An entity with fiduciary responsibility must maintain that trust and any associated decisions with their client’s best interest in mind.
The role of a fiduciary is well understood in the financial industry, as there are contractual obligations that govern the relationship between a financial advisor or investment manager and their respective clients. However, a board of directors also has a fiduciary responsibility to the shareholders and the organization that it oversees.
Risk oversight, including cyber risk oversight, is a core tenant of a board’s fiduciary duty. As cyber risk governance has become increasingly challenging due to the scale and sophistication of attacks, the need for C-suite executives to more tightly align their cybersecurity and business strategies has also increased. But they don’t need to do it alone.
According to Business Law Today, “General counsels and outside firms can play a significant role in helping directors and officers meet their fiduciary duty and avoid derivative shareholder suits by confirming a cyber governance framework is created that identifies key cyber risks, ensures appropriate data about these risks is reported to the board, and establishes a board process to review this information and monitor the risks.” Expertise and collaboration among these groups is a great start to addressing cyber risk.
Enterprise risk management has well-defined models for quantifying and managing corporate risk. Financial institutions, as an example, have dedicated resources toward managing liquidity risk, equity risk or credit risk. Insurance underwriters use historical data and data models to assess the likelihood of a covered risk being realized.
However, when it comes to addressing the increasingly complex environment around all that encapsulates cyber risk—which is a business risk—this level of rigor and maturity just isn’t there. Yet.
Herein lies the challenge: How does a board of directors uphold their fiduciary duties when it comes to understanding, overseeing and ultimately driving management of a relatively immaturely managed and understood risk?
The risks introduced by cyberspace fundamentally come down to threats, vulnerabilities and digital assets. Simply put, the digital assets (e.g., a website) that are used for a business can contain vulnerabilities (e.g., code flaws) that a threat (e.g., hacker) can exploit.
Through understanding this, fiduciaries can build rational “logic loops” to start managing cyber risk in a manner that is more on par with enterprise risk management disciplines. Countless cyber breach case studies have proven that cyber incidents can have a material impact on the business. So why hasn’t cyber risk fully elevated to the level of due diligence that it requires?
Acting as a cyber fiduciary means addressing cyber risk in the same way that enterprise risks are traditionally managed—with defensible processes that demonstrate duty of care.
Consider how a bank assesses a mortgage application: There are processes in place to evaluate the applicant’s income, assets, credit and other relevant data. A decision is made on the suitability of the loan. If circumstances change after the disbursement, necessary adjustments are made. The same model or paradigm can apply to managing cyber risk in a fiduciary-like manner. Start by asking the following questions:
This “logic loop” can provide a defensible process through which business can start regularly maturing their management of cyber risk in a manner much like how a bank assesses loan default risk. Part of the challenge is regularly reviewing this loop.
Now is the time for organizations and the technology industry at large to start thinking about cyber risk with a level of maturity and rigor that is on par with traditionally understood enterprise risks.
Cybersecurity is not a program nor technology that one can “set and forget” due to the active nature of motivated adversaries. As cyber threats become more impactful, it requires a new approach to board-level fiduciary practices.
Operating as a cyber fiduciary is a crucial mindset shift for leadership to better evolve with the threat and uphold one’s fiduciary responsibilities to the organization and their clients.