Cyber Risk Trends in the Boardroom: A Q&A with Marija Kramer

Ramping up its focus on cybersecurity disclosures, the SEC recently upped the ante on financial institutions' management of cyber risk. Following enforcement actions against eight financial services firms, the SEC's underlying message to corporations has come across loud and clear: cybersecurity needs to be treated just as seriously as disclosures for other types of risks.

While it may be some time before the SEC adopts a final rule on cybersecurity disclosures, the regulator is expected to issue a proposal later this year that should yield more information on the nature and scope of future disclosure requirements - as well as related enforcement methods.

Against this backdrop, it is critical for every financial institution to ponder their response to the potential for more stringent cyber-risk regulations. To comply with the SEC, and to avoid potential penalties, fines and reputational damage, cybersecurity information policies, board oversight and overall governance of enterprise cyber risk strategies must all be clearly defined.

As managing director and business head at ISS Corporate Solutions (ICS) - an advisory firm that helps companies design and manage their corporate governance, executive compensation and sustainability programs - Marija Kramer is very familiar with board-disclosure trends and governance issues.

In a recent interview with Risk Intelligence, Kramer shared insights on cyber risk mitigation techniques, the evolution of board disclosures on cyber risk, and the need for cybersecurity collaboration between the board and senior management.

Christopher Hetner (CH):Marija, really appreciate you making the time to speak with us today. Given the recent SEC enforcement activity focus, what can you tell us about the kinds of disclosures made by corporate boards on cybersecurity? Moreover, what is the quality of these disclosures?

Marija Kramer (MK): With cyber intrusions and ransomware events continuing to wreak havoc in the corporate world, investors and regulators are, not surprisingly, demanding greater transparency related to cybersecurity risk. We've seen boards respond to this demand by providing more clarity for both general and information-security-risk disclosures, as reflected in corporate annual reports, proxy statements, 10-K's, and other publicly-disclosed materials.

Furthermore, in our recent analysis of governance-quality scores for firms listed in the S&P 500 and broader Russell 3000 indices, ICS found that 33 percent of companies issued clearly-defined approaches to identifying and mitigating information-security risks. This reflects a modest increase from five months ago, when just 28 percent disclosed the same.

A clear cybersecurity approach can include a company's adoption or certification of an information-security standard (such as ISO/IEC 27005), along with specificity within its disclosures on how it mitigates and manages cyber risk.

CH: These observations certainly give insight into the trending of these kinds of disclosures. In terms of boardroom awareness and expertise, can you speak to how boards are addressing cybersecurity?

MK: Companies most often develop strong information-security governance programs in the wake of a costly data breach. Investors and regulators expect board expertise and broader transparency around cyber risk - led by, for example, an information-security governance committee tasked with cyber oversight. This can be a standalone committee or fall under the purview of an existing committee, such as audit.

Through analysis of our governance-quality score data, we found that 83 percent of the S&P 500 companies have committees tasked with oversight of cybersecurity. Furthermore, boards are expected to identify, mitigate and respond to cybersecurity risks. To that end, our analysis revealed that S&P 500 companies have an average of seven directors with information security experience and expertise, while Russell 3000 companies have an average of three.

However, while there has been improvement on the number of board members with cybersecurity experience, there is less transparency around exactly how often senior management briefs the board on cyber risks. In the aforementioned ICS analysis of S&P 500 and Russell 3000 companies, 64 percent of respondents declined to disclose how often these briefings occur.

CH: What can boards do to better align with senior leadership to understand their organization's cyber risk exposure in business terms?

MK: Boards have a general obligation and a fiduciary duty to protect company assets from material, adverse reputational, financial and operational exposures. That said, it's imperative for boards to operate under the same oversight principles set forth for its overall business - and to view cybersecurity risks under the same lens.

Board briefings from management should include identification of policies and processes put in place to identify, manage and mitigate material cyber risks, along with an explanation of the potential financial impact any unaddressed cyber risks could have on the company. Addressing cyber risk in business terms bridges the disconnect often found between company boards and management/IT teams.

Finally, from a disclosure standpoint, it's critical that boards consider and evaluate the quality of their cyber disclosures in the future. For example, do the disclosures communicate comprehensively the firm's existing cybersecurity risk management program?

Considering recent SEC enforcement actions on cyber risk, we expect more regulatory scrutiny around the quality of cybersecurity disclosures.