Governing Cyber Risk: New Challenge for Corporate Boards, Report
Corporate boards of directors want more and better collaboration with federal regulators and policymakers to help minimize cyber threats to national security and businesses, a new report from the Cyber Risk Director Network (CRDN) said.
The 29-member CRDN is made up of non-executive directors at large enterprises, including Apple, Capital One, Citigroup, General Electric, General Motors and Home Depot. Its goal is to fortify national cybersecurity by strengthening board oversight of the largest US companies. Tapestry Networks, a Waltham, Massachusetts-based management consultant, formed the group, chaired the organization’s recent inaugural meeting in New York City and produced the report, entitled Cybersecurity: An Evolving Governance Challenge.
Corporate board-level governance and public-private collaboration on cybersecurity is at a fledgling stage, with corporate boards figuring out how to address cyber risk and contribute to incident response, the report found. The document, which is divided into three parts–board oversight of cyber risk, public-private collaboration, and the board’s role in cyber incident response–summarizes the collective views of CRDN members.
Key findings from the report:
On board oversight of cyber risk.
- Governing cyber risk is a new and fundamentally different challenge for boards.
- Boards are exploring a wide variety of structures for cyber oversight.
- Director interactions with management around cyber are complex.
On public-private collaboration.
- Collaboration between government and the private sector remains embryonic.
- Private sector leaders feel the need to take initiative to improve the extent and quality of public-private collaboration.
- Emerging practices can include temporary security clearances for board directors, information-sharing pilot programs, and widely known standards, but directors don’t see any of these as adequate thus far.
On board role in cyber incident response.
- Corporate response to an attack must go further than technical or legal considerations.
- The board’s involvement is critical, both in planning and responding.
Improved information-sharing and coordination between the public and private sectors are critical to cyber defense, said Michael Mahoney, a Tapestry partner and the CRDN project lead. “Cyberattacks on industry have a direct impact on national and economic security, especially with state and non-state actors targeting American corporations,” he said.