Cybersecurity is an enterprise risk that requires ongoing and significant board and executive attention. Attacks are unpredictable, have an immediate impact on day-to-day operations and often generate real-time reputational damage.
New disclosure regulations regarding cybersecurity risk are in place. These include a description of the board's oversight and management's role in assessing and managing material risks from cybersecurity threats.
Enterprise risk has been in focus for U.S. public companies throughout the 21st century. Yes, companies have been considering and managing enterprise risk since the beginning of the corporate era, but regulation and attention in public markets are relatively recent. The financial services industry has experienced the most significant impact from increased regulatory focus.
While cybersecurity is an untraditional risk, there are learnings and principles from the financial crisis that boards would be wise to reflect on and incorporate into a more robust and systematic approach to cybersecurity risk. We think the answers to three questions can help boards understand their readiness and next steps in cybersecurity risk management.
Does the board have appropriate expertise to digest and assess cybersecurity risk? Boards need to be sufficiently versed in an extremely complicated topic so they can adequately fulfill their responsibilities to probe and challenge as necessary. This should include ongoing director education through external programs, deep-dive discussions with relevant teams/executives from the company and specific board committee responsibility for cybersecurity.
We think every board, regardless of industry, should add IT/cybersecurity as a required skill at the board level (i.e., include in the director skills matrix) and assess their next steps accordingly. Where perceived threat is highest (for example, highly automated operations or meaningful digital IP), ensure that multiple directors have directly relevant expertise. Those individuals would work with management in depth and be responsible for board discussion.
Does the board have the right focus and information flow with management on cybersecurity matters? Increased engagement with chief information officers (CIOs) and chief information security officers (CISOs) allows boards to understand and assess potential risks and provide input into management plans, controls and processes to address significant security breaches comprehensively.
Changes in governance across the financial services industry post-financial crisis are instructive. In banking, two significant things happened. First, chief risk officer responsibility increased significantly, including joint reporting responsibilities to the board as well as the CEO. Second, there were much higher regulator expectations of the audit committee (and, sometimes, a newly created risk committee), including expertise, engagement and specific knowledge of company activity.
While the risk is different in nature, the downside risk is dramatic and requires a similar level of preparedness and expertise. Boards should consider two structural changes to governance to ensure expertise and independent perspectives are used effectively. One is having the CIO/CISO report jointly to the board and CEO. Another is the formation of a board technology risk committee to enable more focused work by qualified directors in conjunction with management.
How should compensation reflect management of these risks? Incorporating enterprise-level risk into compensation systems is important and multidimensional. An effective system attracts the right expertise, encourages appropriate behaviors and ensures that responsible actions are taken to protect stakeholder interests. Ask three more questions:
Are we investing enough in cybersecurity talent? Boards should anticipate a need to invest in building appropriate teams and retaining skilled professionals. There is a parallel here with the financial crisis — the cost of internal audit and risk functions was materially higher, in the aggregate as well as on a per-role basis. Increasing the company's ability to assess and plan for enterprise risk also parallels the board's responsibility to build its own expertise.
How do we incorporate risk avoidance and preparedness into pay programs? The most common approach to compensating risk personnel is to deliver a portion of pay on individual achievement. One of the more dramatic shifts post-financial crisis was a trend to pay CROs and internal audit leaders based on performance assessment by the audit committee, and, in some cases, using restricted stock units instead of performance-linked equity to create intentional differences in incentives between frontline executives (who take risks) and control-function executives (who manage risks).
Given the nature of cyber risk (untraditional, black swan), we think it's critical for the board or committee to have deep knowledge of company risk-mitigation plans, individual performance goals at the leadership level and input into compensation decisions, including factors specific to cyber risk planning and preparedness.
There is a small trend toward including cyber risk as a factor in annual bonus decisions for a broader population. According to EY, nine Fortune 100 companies, up from zero in 2018, linked a portion of short-term bonuses for named executive officers to a cyber goal in 2022.
Do our pay programs allow us to act appropriately when risk events occur? Cybersecurity breaches can bring bad publicity and significant impact on financial and operational results. Boards must maintain flexibility to use their judgment in assessing the impact of exogenous events on overall compensation. We believe annual incentive targets would be most appropriate when the company is implementing significant enterprise-wide changes in cybersecurity readiness or after a cyber event, ensuring that remediation and systems fixes occur.
In a significant downside scenario, boards need to understand their degrees of freedom to adjust compensation based on answers to several key questions:
- Was the risk knowable and/or avoidable?
- Was communication with the board timely and appropriate?
- Were mitigation plans implemented effectively and in a timely manner?
- Was appropriate judgment used to address the specific situation (understanding that mitigation always requires “audibles” and shifting approaches)?
This qualitative assessment is more important to responding to the occurrence of a risk event than simply reviewing the financial outcomes. Boards should consider all the tools at their disposal when considering pay-related actions and must rely on their judgment versus formulaic assessment of results.
In addition to developing a framework for determining adjustments to current-year compensation, boards should review the clawback language to assess where there is flexibility to claw back compensation, if appropriate (e.g., the breach was caused by gross negligence or reasonable mitigation steps were not taken to limit damage after the breach). In considering whether to add such a clawback, and the appropriate language, a review of risk clawbacks added by many large financial institutions after the financial crisis may also be informative.
Navigating Cyber Complexity
Amidst the backdrop of escalating cyber threats and tightened SEC regulations, boards will want to build their fluency in cybersecurity, step up their cyber risk management processes and build appropriate compensation tactics to reinforce cyber risk management. As the board's mandate continues to expand in new ways, the financial services industry's successful risk management practices can serve as a useful guide for navigating evolving cybersecurity complexity.