With board governance newly challenged by cybersecurity issues, the National Association of Corporate Directors is turning to Christopher Hetner as its special adviser for cyber risk.
“The days for just writing a check for cybersecurity are over,” says Hetner, referring to the need for more active and nuanced oversight. He recently joined Marsh as managing director of cyber-risk security consulting after serving as senior adviser for cybersecurity policy to the chairman of the Securities and Exchange Commission, currently Jay Clayton.
Corporate boards clearly grasp the magnitude of the threat. Surveys, including the NACD's annual public company governance survey, show cyber to be at or near the top of directors' priority lists. (See Directors Come to Grips with Digital Transformation)
But fully understanding and quantifying these fast-emerging and evolving risks is a challenge for front-line risk managers and information security personnel, let alone the many corporate directors who are not experienced or educated in these disciplines.
“Disruption and Change”
With Hetner, NACD gains “access to one of our nation's foremost authorities on cyber risk and resilience oversight,” Peter R. Gleason, the association's president and CEO, said in a March 4 announcement. “As the rapid acceleration of technology presents increasing disruption and change for businesses, Chris's expertise will inform NACD as we work to provide guidance to directors and the companies they oversee.”
“Public company directors play a pivotal role in guiding company oversight of cybersecurity,” Hetner said. “It is an honor to be working with NACD to help bring about tangible improvement in the oversight of cyber risk.”
As a member of NACD's Board Advisory Services faculty, Hetner will be “providing in-boardroom, hands-on training to boards on improving cyber resilience and cyber-risk oversight and management,” the association said. “He will provide key insights to help inform NACD's overall content development in the area of cybersecurity, and he'll bolster NACD thought leadership on cyber preparedness and cyber-risk mitigation. He'll also help facilitate NACD's engagement with Capitol Hill and regulatory agencies on cyber matters.”
Senior Security Roles
Over more than 25 years in cybersecurity, risk management and compliance, Hetner has led Ernst & Young's Wealth and Asset Management Cybersecurity practice, served as global chief information security officer at GE Capital, and led global information-security programs as senior vice president in Citigroup's Institutional Client Group.
At the SEC, he helped establish the cybersecurity policy advisory role in 2016, when the agency's chair was Mary Jo White. Hetner served as the cybersecurity leader for the Technology Control Program in the SEC's Office of Compliance Inspections and Examinations as well as SEC staff representative to the U.S. Treasury's Financial Banking Information Infrastructure Committee and to the G-7 Cyber Expert Group.
When the SEC announced last September that Hetner would be moving on, Clayton said, “During his time at the SEC, Chris has worked diligently to enhance the agency's cybersecurity capabilities and improve cybersecurity coordination among the financial regulatory community in the U.S. and abroad.”
Metrics and Analytics
In an interview, Hetner stressed the complex and multidimensional nature of cybersecurity implementation and oversight. Quantifying cyber risk exposure is critical, and anything from new acquisition targets to vendors to potential customer defections or regulatory fines could be part of the calculation. Proper metrics can inform whether to go through with proposed transactions and initiatives, and when to transfer risk with insurance.
Both quantitative and qualitative factors come into play when a company expands its geographic footprint, Hetner says. Starting operations in Asia or East Europe could expose a business to previously unseen bad actors.
He refers to embedding cybersecurity in enterprise risk management, crisis management and recovery-planning exercises as developing “cyber muscle.” Although he is seeing more tech expertise integrated with the traditional financial focus of boardrooms, he says, “There is still a ways to go.”