By redefining the way they’re overseeing cybersecurity risk, an emerging group of high-profile companies is reducing the likelihood, costs and impacts of data breaches – while improving their ability to create value with digital technologies.

And not a moment too soon, because regulators are taking notice of corporate progress and effectiveness in cybersecurity risk oversight and management. Or, as the case may be, the lack of progress. More than 94 countries now have data privacy and protection laws in place[i]. Europe’s General Data Protection Regulation is entering its third year; the California Consumer Privacy Act went into effect on July 1, 2020.

As of October 2020, the GDPR had issued more than €550 million in fines since its inception in 2018[ii]. Notably, more than €335 million of these fines were related to “insufficient technical and organizational measures to ensure information security.”

Fortunately, these self-inflicted wounds are helping organizations recognize the importance of boardroom leadership on digital and cybersecurity risk. Boardrooms must lead in setting the digital and cybersecurity tone at the top, and they play a critical role in the effectiveness of every company’s cybersecurity system.

New leadership in cybersecurity risk oversight

Multiple companies are starting to transform their boardrooms’ approach to overseeing the challenges and opportunities of the digital future. A few examples include Walmart[iii], Ford[iv] and Federal Express[v]. Here’s what they and others are doing to set the right digital and cybersecurity tone at the top.  

Developing the board’s skillsets

Effective corporate governance must start with the directors’ ability to understand the issues and risks the organization is facing today and into the future. Cybersecurity risk is commonly viewed as one of the things that can go wrong with any digital business system, e.g., a data breach. But digital risk also encompasses the strategic opportunity risk of digital tools and how they can drive business value: If an organization isn’t aggressive enough in implementing new technology it is at risk of disruption from competitors.

Leading boardrooms have directors who comprehend both the upside and the downside risks. For these companies, the foundation of effective digital and cybersecurity corporate governance starts with corporate directors’ ability to oversee these issues properly. And it’s not just about asking questions. They also have a duty to question the answers they get. That’s why leading boards are adding and developing these abilities in their corporate directors.

There are two aspects to a director’s ability on these issues. First, organizations are adding corporate directors who have digital and cybersecurity competencies. Second, boards are developing and maintaining the digital and cybersecurity risk oversight abilities of their corporate directors through focused training. 

Recommended best practices

  • Add corporate directors to the board with digital and cybersecurity competencies.
  • Implement full board training and development programs focused on digital and cybersecurity risk and oversight.
Organizing the board for maximum effectiveness

How the corporate board organizes itself is essential to effective governance. To that end, boardroom leaders are organizing their efforts through focused technology and/or cybersecurity committees. This is evidenced by the NACD 2019-2020 Public Company Governance Survey[vi], which shows that 5.4 percent of the Russell 3000 now has technology committees. In addition, 1.2 percent have cybersecurity committees. While these numbers may seem small, the trend is up – sharply. From the prior year, these numbers are up 20 percent and 70 percent respectively.

These boardrooms recognize that digital value creation and protection requires focus and time; a generalist approach here may not be sufficient. Thus, boards are rethinking their practices to, for example, have their audit committee oversee cybersecurity risk. Or they are tasking the full board with the digital oversight agenda.

A good example of a best corporate governance approach to this issue is Walmart. Its board created a Technology and eCommerce Committee that reviews and oversees “matters relating to information technology and systems and eCommerce.[vii]

Research[viii] on the impact of boardroom committee structure and decentralizing critical oversight tasks identifies the following benefits of such boardroom committees:

  1. More efficient task allocation for directors.
  2. Greater knowledge specialization within the committee.
  3. Greater boardroom accountability to the firm on the committee agenda.

Another benefit of a cybersecurity committee is the strong external signal this sends to investors, hackers and other stakeholders. The tradeoff of a committee is the potential for too many siloed specialists; however, boards adapt to this with multi-committee directors. For example, having an audit committee member also sit on the technology and cybersecurity committee.

Recommended best practice

  • Decentralize digital and/or cybersecurity risk oversight through a focused committee staffed with qualified digitally savvy directors.
Expanding the board’s understanding of systemic risk

As Accenture’s Third Annual State of Cyber Resilience Research indicates, a group of leaders is emerging whose cybersecurity risk management practices differentiate their ability to mitigate risk. This elite group achieves results far better than most because it scales, trains, collaborates and innovates far differently.

It’s no different in the boardroom. Every boardroom has a critical role to play in how the company approaches, understands and mitigates cybersecurity risk throughout its business system. Risk is systemic when it exists within complex systems so deeply that it can threaten the entire organization. Since every digital business enterprise now employs complex systems, the risks are real, deep and growing – in part because of the pandemic but also because cybercriminals are becoming smarter and more sophisticated.

Systemic risk is a necessary perspective in enterprise risk management because it brings a wider view to the complexity that exists in every organization’s digital business system. When corporate boards embrace this view, directors have an advantage in understanding and overseeing the complex digital business systems that power their companies and put them at risk. Thus, systems thinking capabilities are becoming a competitive differentiator for high-performing directors and their corporate boards.

Recommended best practice

  • Develop director capabilities in systems thinking with training and third-party expert advice. Recognize cybersecurity as inherently systemic and apply systems thinking capabilities to the boardroom agenda to govern the upside and downside risks of business value post-COVID.
A call to action for leadership

With a growing group of boardroom leaders taking steps now to redefine new standards and capabilities around digital and cybersecurity risk oversight, the bar has been set. Let’s all reach for it.

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative. This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

Copyright © 2020 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.

___

[i] Global Data Governance, Foreign Policy Magazine, May 13, 2020, https://foreignpolicy.com/2020/05/13/data-governance-privacy-internet-regulation-localization-global-technology-power-map/

[ii] GDPR Enforcement Tracker, https://www.enforcementtracker.com/insights

[iii] Walmart Corporate Governance, https://stock.walmart.com/investors/corporate-governance/board-of-directors-committee-information/technology-and-ecommerce-committee/default.aspx

[iv] Charter of the Sustainability and Innovation Committee of the Board of Directors, https://corporate.ford.com/content/dam/corporate/us/en-us/documents/governance-and-policies/company-governance-sustainability-and-innovation-committee-charter.pdf

[v] Information Technology Oversight Committee Charter, https://investors.fedex.com/esg/board-of-directors/committee-charters/information-technology-oversight-committee-charter/default.aspx

[vi] NACD Public Company Governance Survey, NACD, December 11, 2019, https://www.nacdonline.org/insights/publications.cfm?ItemNumber=66566

[vii] Walmart Corporate Governance, https://stock.walmart.com/investors/corporate-governance/board-of-directors-committee-information/technology-and-ecommerce-committee/default.aspx

[viii] The Structure of Board Committees, Harvard Business School, November 2, 2016, https://hbswk.hbs.edu/item/the-structure-of-board-committees

Robert Kress

Managing Director – Accenture Security, Global Quality and Risk Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog