Why actionable information on cybersecurity is key to good governance

By Matt O'Grady
July 24, 2024

Last month, thousands of car dealers across the U.S. found themselves unable to sell or repair vehicles for days thanks to a cyberattack on CDK Global, whose technology platform underpins their operations. It’s just the latest in a series of stories that underscore the surging cost of cybercrime—expected to rise from $8.44 trillion globally in 2022 to $23.84 trillion by 2027.

“For big companies, it’s not a question of if there will be a data security incident or a breach— it’s a matter of when,” says Dominique Shelton Leipzig, a partner at international law firm Mayer Brown’s Los Angeles office, where she leads the firm’s Global Data Innovation Group. “Are you going to be knocked offline for several days? Or are you going to be in a position where you know where your data is, and can quickly deploy backup systems and move forward in a resilient fashion?”

In July 2023, the Security and Exchange Commission (SEC) adopted new rules requiring public companies to “disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance.” It echoes a similar move with the European Union’s Digital Operational Resilience Act (DORA), which aims to harmonize and strengthen IT security at European financial entities.

While the SEC ultimately rejected a proposal that would require companies to disclose board-level cybersecurity expertise, the new rules are clear that boards need to provide more robust oversight. Still, as Shelton Leipzig points out, too much corporate reporting on cybersecurity remains “opaque.”

“Just imagine a CISO (Chief Information Security Officer) comes in to the board and says, ‘We vanquished this many malicious exploits and this many malicious IP addresses—and so everything's fine.’ And then they sit down. There’s not really much for the board to engage upon. But if they have a report that says, ‘80% of our business critical data is in these locations, and if we want to make sure we have it backed up and are resilient against a cyberattack, it would cost this much. What would you like to do?’ Suddenly, the board is back doing what they do best: tethering decisions to revenue, strategy and operations.”

Board education and expertise

With the increasing risks facing boards, there is an undeniable need for directors to be better educated. Recent research from the Diligent Institute and NightDragon indicates that cyber experts (former CISOs or C-suite types at cybersecurity companies) represent just 12% of board seats on S&P 500 companies.

According to one seasoned board director, however, education shouldn’t be equated with expertise. “Among non-tech companies, there's a tendency to rely on one ‘expert’ director to act as a tech translator on the board,” says Sonita Lontoh, an independent director with Sunrun and TrueBlue.

Instead, she argues, some of that knowledge can be gained through an advisory board or regular expert board presentations: “I think all board members need to be technologically literate—in the same way board members need to be financially literate.”

Originally published in Fortune for Diligent’s Modern Board newsletter.