Corporate Governance in the Age of Cyber Risks

Corporate boardrooms are waking up to the encroaching, systemic threat of cybersecurity risks. But while awareness is growing — more than 80% of boards now discuss cybersecurity at most, if not all, of their meetings — many directors simply are not sure if they have the information and tools at their disposal to provide effective oversight with respect to today’s hacking dangers, especially intrusions sponsored by nation-states. At the recent “Cyber Risks in the Boardroom” conference held in New York, leading experts in the public and private sectors shared their perspectives for directors as they navigate these uncharted waters. Strategic conversations with cybersecurity experts also informed this report. The conference was sponsored by Sullivan & Cromwell, RANE (Risk Assistance Network + Exchange) and Knowledge@Wharton, in collaboration with AIG, Spencer Stuart and the John Jay College of Criminal Justice.

Corporate boardrooms are waking up to the encroaching, systemic threat of cybersecurity risks. But while awareness is growing — more than 80% of boards now discuss cybersecurity at most, if not all, of their meetings — many directors simply are not sure if they have the information and tools at their disposal to provide effective oversight of top management to handle today’s hacking dangers, especially intrusions sponsored by nation-states.

Information and expertise in this area are scarce. Companies have demonstrated a reluctance to disclose data breaches and have been cautious in contacting authorities. The government has made some efforts to encourage public-private cooperation but at the same time has sought to hold the private sector responsible for data breaches. These and other factors, including concerns over costs and uneven levels of technological expertise, have contributed to the information and expertise deficit. At the recent “Cyber Risks in the Boardroom” conference in New York City, leading experts in the public and private sectors shared their perspectives for directors as they navigate these uncharted waters.

It is clear that cybersecurity is no longer chiefly the domain of CIOs, CISOs and IT departments, but rather a companywide and nationwide concern that demands oversight and direction from the boardroom and the broader community. “Nonspecialist executives and board directors all play a role in determining whether a company’s dedicated cybersecurity professionals have prepared the firm for the cybersecurity risks it faces,” said Simon McDougall, managing director and head of the cybersecurity practice at Promontory Financial Group. “Regulators and policymakers increasingly expect that board members and senior managers have a sufficient grasp of cybersecurity core principles and can collaborate with and challenge a firm’s cybersecurity specialists.” 

Doownload the Report

Source https://knowledge.wharton.upenn.edu/