Boardrooms are the best way to regulate cyber risk

Ransomware and its impact on business operations moved to the forefront of the cyber risk impact discussion in 2021. The World Economic Forum reports a 435% increase in ransomware from 2019 to 2020¹ and its outlook for 2022² indicates ransomware as the top threat that organizations are most concerned about. Attackers have figured out that their most valuable path comes from the disruption that they can cause by holding data, organizations, economies and societies hostage. Also, they are no longer just focused on one target; they are now taking hostages across wide and interconnected target environments. The growing threat of cyber risk continues to develop faster than the ability of most organizations and governments to protect themselves. These threats also extend well beyond the digital system being hacked—they are a threat to our way of life.

Regulators have taken note and have been pushing forward with additional regulation and increasing fines³ on private organizations, including stronger privacy protections, minimum cyber controls and a global patchwork of mandatory cyber incident reporting. There remains a glaring weak point that organizations and their regulators are not paying enough attention to—the boardroom. The boardroom is a critical control capability in tackling cybersecurity, but unfortunately for most organizations, it is dangerously underdeveloped. So far, there have been no laws implemented by regulators that are forcing corporate boards to govern cyber risk more effectively in any country around the world.

Gross Domestic Product (GDP) and long-term business growth are increasingly dependent upon the complex digital systems that power and enable economies, companies, products and services worldwide. However, many corporate boards are not actively governing these rapidly developing issues and are struggling to understand and oversee digital transformation and its risks. The lack of progress in adopting effective cybersecurity governance policies and practices in boardrooms worldwide is a direct threat to the digital growth and progress already made and further advancements toward the digital future for economies and businesses worldwide. A few developments in the US could lead the way to greater boardroom accountability on cyber risk. Recently, the U.S. Securities and Exchange Commission voted to publish proposed rules that would, if finalized, require all public companies subject to the Security Exchange Act of 1934 to describe the cybersecurity expertise of its board of directors, if any, along with additional disclosures about the company’s cybersecurity risk management policies and other requirements.⁴

A bipartisan group of U.S. Senators have proposed a similar disclosure requirement. If passed, S.808, the Cybersecurity Disclosure Act of 2021, would require US-listed companies to disclose if any corporate director has cybersecurity expertise or experience and to disclosure the nature of the expertise.

US regulators have forced US-listed companies to add critical corporate director competencies to the boardroom before. Strengthening boardroom accountability and capability over financial reporting was also a key provision of the Sarbanes Oxley Act, enacted in 2002, that required corporate boards to disclose if there was a qualified financial expert amongst their director ranks. This simple disclosure reform had the almost immediate effect of strengthening financial reporting and accounting management practices. By ensuring that director-level financial expertise existed within the boardroom to govern these issues, investor and public confidence was also restored because financial and accounting processes, systems and controls became much stronger within the company. The US capital markets were facing a catastrophic and existential risk if confidence in financial reporting collapsed. Adding directors with financial expertise quickly solved a core part of the problem. This US precedent would influence corporate governance reform on this issue worldwide.

With growing levels of systemic cyber risk facing companies worldwide, strengthening the corporate boardroom as a critical cyber risk control capability is long overdue. Systemic cyber threats inflict an exponential level of damage which creates the greatest likelihood that attackers get paid or find success in whatever their motivations may be. Colonial Pipeline’s ransomware attackers had a systemic impact when they shut down the nation’s largest fuel supply pipeline as a result of a ransomware incident. What’s more, the SolarWinds breach was an example of a systemic attack tactic that impacted tens of thousands of companies beyond the one where the breach occurred.

Empowered by self-regulation

Fortunately, boardrooms do not have to wait for governments to force them to strengthen their governance of cyber risk. Self-regulating by adopting the leading practices that some boardrooms have already adopted starts with having cyber expertise in the boardroom. Several companies, including FedEx, GM, AIG, Hasbro and some others, have already done this.

Here are some of the ways having cyber expertise in the boardroom can strengthen cybersecurity defenses:

• It’s easier to manage complex digital and cyber risk: Beyond adding director-level cyber expertise to the board, there is a growing body of self-regulatory guidance available that reflects leading policies and practices in governing and managing the complex issues associated with digital and cyber risk. These practices extend to rethinking boardroom structure and redefining the scope of digital and cyber risk oversight that the boardroom oversees, along with how the board interacts with management on these issues.
• The business benefits from digitally savvy boards: The business impacts of having a digitally savvy board have been determined to be significant for many US-listed companies. Massachusetts Institute of Technology’s (MIT’s) Center for Information Systems Research identified the financial performance impacts for companies with “digitally savvy” boardrooms. These benefits included 38% higher revenue growth over three years, 34% higher growth in return on assets, 34% higher market capitalization growth and 17% higher profit margins. These results were observed where the board had a critical mass of at least three digitally savvy corporate directors.⁵
• Self-regulation is more cost effective than regulatory fines: The increasing amount of economic and business value being created by digital systems needs protecting. As cyber regulations continue to expand, their fines can only increase as companies who cannot or will not comply with their mandates are penalized. However, as is often the case in many areas, self-regulation can materially contribute to reducing real levels of cyber risk and is significantly less expensive.

Incentivizing or requiring companies to add cyber expertise to boardroom leadership has the potential to be one of the most effective ways to improve corporate governance of cyber risk.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.

Copyright © 2023 Accenture. All rights reserved.

References

¹ World Economic Forum. “Global Risk Report 2022 17th Edition.” Geneva

² World Economic Forum. “Global Cybersecurity Outlook 2022”

³ GDPR Enforcement Tracker. Data accessed February 18, 2022. CMS.

⁴ https://www.sec.gov/rules/proposed/2022/33-11038.pdf

⁵ Weill, Peter; Apel, Thomas; Woerner, Stephanie L.; Banner, Jennifer S. 2019. “Assessing The Impact Of A Digitially Savvy Board On Company Performance”. MIT Management Sloan School Center For Information Systems Research (CISR). Boston.