Significant cyberattacks have recently targeted a leading auto dealer software provider, one of the largest health care payment processors in the world and a variety of other organizations of all sizes across all industries. These events caused company productivity to grind to a halt, led directly to lost revenue and reputational damage, and, in some cases, created a ripple effect of challenges across entire industries. These attacks show that boards need to continue working to understand potential threats and implement more effective cybersecurity oversight and accountability standards.
With the rise of AI, boards may be guilty of chasing the new, shiny object, becoming distracted and devoting less attention to ongoing cybersecurity challenges. But there is too much at stake to underestimate cybersecurity risks or become complacent — ongoing governance is necessary because cyber threats are constant and a bad actor needs to be right only once to cause significant damage to an organization.
The numbers show that cybersecurity risk is not going away — in fact, it is actually increasing. In the RSM US Middle Market Business Index Special Report: Cybersecurity 2024, 28% of middle-market executives surveyed reported suffering a data breach in the previous year, tying a record high in RSM's research. As evolving risks threaten operations and bad actors relentlessly seek any potential vulnerability, cybersecurity needs to be a focal point of all board governance strategies.
Advancing Digital Tools
Technology advances quickly, and companies need to leverage new innovations to keep pace with competition and capitalize on potential efficiency, insight and productivity gains. However, implementing new digital tools can create additional risks and security gaps.
For example, the Internet of Things (IoT) consists of a growing number of modern technology devices and the sensors that facilitate communication among them. Comprising a vast array of items ranging from sophisticated manufacturing equipment to medical devices to smart meters, IoT-enabled devices can share information on how to operate more efficiently or signal the need for service, among other benefits. But with significant increases in connectivity, the IoT creates more endpoints that hackers can exploit to disrupt operations.
In addition, while companies are rapidly moving to implement AI, boards and leadership may not fully understand this new technology and the cybersecurity risks it poses. But it is built on data, so any implementation has a significant cybersecurity element. AI can undoubtedly deliver big benefits, but without effective data controls and governance, security and privacy concerns can arise, with potential exposure of sensitive data.
Emerging Cybersecurity Legislation
As cyberthreats continue to increase in frequency and severity, many international, federal and industry regulations have emerged to help protect sensitive data and systems. Boards need to be aware of these changes and ensure compliance, which often requires more robust cybersecurity oversight on their part.
The Department of Defense's (DOD's) Cybersecurity Maturity Model Certification (CMMC) is a major consideration for current government contractors and companies that seek to become one. CMMC guidelines seek to strengthen national security by preventing unauthorized access to sensitive data, but certification may require a structural change for many companies because DOD business must be segmented from commercial business. Often, government contractors need to deploy a new infrastructure to maintain compliance and remain eligible to receive government contracts.
From an international perspective, the European Union's (EU's) Network and Information Security Directive (NIS2) creates a common expectation for cybersecurity across EU nations. NIS2 goes into effect in October 2024 for companies that do business in the EU and requires cybersecurity assessments, compliance with specific security requirements and continuous process improvements. A key element of NIS2 is the involvement of both the board and management in developing and implementing cyber risk management strategies.
From a domestic standpoint, no federal cybersecurity standard exists, but individual states continue to adopt data security laws, increasing the complexity of managing customer information and maintaining operations across multiple states. The California Consumer Privacy Act is one of the strictest privacy laws in the nation and serves as a blueprint for many other state regulations. To comply with the law, which allows California residents to control how organizations collect, process and store their personal information, an organization may need to make significant modifications to its business operations.
In the last year, new SEC cybersecurity incident disclosure rules have significantly altered how public companies disclose incidents and detail cybersecurity processes. Public companies are now required by the SEC to disclose any material impact — both objective and subjective — that security breaches may have on operations within four days and regularly provide information on risk management processes and details of response plans. The SEC also requires details of cyber governance, including the board's oversight of risks.
Growing Third-Party Risks
All organizations increasingly rely on outsourcing services to fill staffing gaps internally. As needs continue to grow, that business model is not going away. Working with third parties can introduce new systemic risks to a company's operational environment — as proven by several recent major outages that have affected thousands of organizations. Management can implement a strategy that can outsource responsibilities, but it cannot outsource related risks.
Responses to Potential Threats
With threats constantly shifting, keeping up with cybersecurity governance and oversight will always be a challenge for boards. While risks continue to evolve, so do the protective strategies that boards and leadership can take advantage of to craft a robust cybersecurity approach. These include:
Digital identity measures. With security perimeter lines blurred as digital innovations advance, digital identity federates access across applications both on premises and in the cloud by creating profiles of employees, customers, third-party users and other organizations and dictating access levels. It makes employees' jobs easier by providing them with direct access to the files and programs they need and better serves customers by providing them with the quickest avenues to specific websites and business environments.
Cloud solutions. Companies continue to overhaul their environment by moving major systems and applications to the cloud for increased access and connectivity. Benefits include more flexibility and scalability, a higher level of collaboration and potential cost savings.
Governance, risk and compliance tools. These applications are designed to streamline an organization's governance program while mapping governance and risk requirements to business processes.
Resilience. Companies must create a sound resilience program to facilitate business continuity in the event of a cyberattack. This includes creating effective backups, undergoing periodic business impact analyses, practicing incident responses, and establishing a recovery time objective and a recovery point objective to limit downtime and data loss.
Third-party risk management. The use of vendors is only growing and a comprehensive third-party risk management approach will help companies understand and evaluate the potential risks outside companies could introduce.
Proper perspective on cybersecurity. While emerging topics such as AI require increased attention from the board, they should not reduce the time and energy the board dedicates to cybersecurity. Cyberattacks are an ongoing, critical threat to business operations, and oversight and risk mitigation should always have a seat at the table and be at or near the top of the agenda.
The most effective cybersecurity strategy for boards involves working with management to create an overall framework to address digital risk.
Taking on these challenges begins with the board and management team developing a shared understanding of the systems that make up every enterprise. This is known as “enterprise as a system” (EAS), a web of IT (applications, servers, databases, hosted solutions) and physical elements that comprise and enable your organization, including the people that operate them.
Boards and management teams need a business-level understanding — not technical knowledge — of how these systems work and interact across the enterprise, which is achievable through three essential actions.
⢠Organize the board and management team for optimal governance and management.
⢠Educate the board, management and employees about the EAS and its related cyber risk.
⢠Foster a culture in which all stakeholders share responsibility for cybersecurity.
With increasing digital risks and evolving compliance regulations, companies may be motivated to simply take a step back and lock down their digital tool set environment as much as possible. However, that strategy just isn't practical for ongoing success — new technology with its attendant risks and rewards is required to stay competitive and advance the business. Companies need tools like the IoT and AI, but must be careful about how they evaluate and use them.