Boards of Directors are under a lot of pressure these days contending with cybersecurity issues that seem to plague businesses of all sizes and industries globally. With the war in Ukraine elevating cybersecurity risks, a new SEC ruling expected in 2023 will require companies to disclose details about cybersecurity oversight, including board members with security expertise. It’s not yet commonplace for a Board of Directors to have a member with deep cybersecurity knowledge. According to a survey by the National Association of Corporate Directors, about 34% of directors believe their boards do not have enough cybersecurity expertise.

If this is the case for your Board, you should consider leveraging the assistance of a Board Advisor who specializes in cybersecurity.

Are you ready for a cyberattack?

Well, just like business has “gone global,” so have adversaries. These adversaries want to compromise your business not as a “hacktivist” (i.e., bringing awareness to something), but rather, they are in it for the money. The threat environment is always changing, and companies are being hit every day due to increasingly sophisticated tools and attack methods. Board members need to quickly understand the impact some of these threats might have on the organization they are serving. The first thing they will want to know is “how at risk is our business?” and the answer to that will depend largely on the maturity of the organization’s risk management process. They will need to know how well their organization understands and handles its risk.

Secondly, the Board will need to understand if the right controls are in place to reduce the company’s risk and lessen, or avoid, the impact posed by cyber threats. For example, ransomware is a significant cyber threat to many organizations. The Board should have a clear understanding of the risk ransomware poses to the organization and how prepared the organization is to handle an outbreak, should it be hit with ransomware.

One of the best ways to gauge a company’s readiness is reviewing the last enterprise cybersecurity Risk Assessment. If that hasn’t been performed in a while (or ever), it is highly likely that neither the Board nor company executives will have an accurate assessment of the risks posed by current threats to the organization. While risk assessments are a necessary part of any cybersecurity risk management program, a SOC for Cybersecurity analysis may be the “Good Housekeeping” seal of approval for many businesses seeking validation of their cybersecurity efforts. This report can provide greater confidence to Board members, shareholders and the business executives who want confirmation that the time and money resources that they are committing to cybersecurity are properly addressing cybersecurity risks.

Do you need a Cybersecurity Board Advisor?

You might be thinking, why do I need someone from outside my organization to provide advice to my board? That’s a great question, and there are at least two reasons to consider. First, an independent outside advisor’s focus is to provide their professional opinion regarding the affect various cybersecurity threats could have on your organization. Because they are independent, they don’t have to worry about adverse perceptions of their performance or the company’s existing cybersecurity posture leading to their dismissal as an employee, so they can truly speak freely and openly about the company’s security posture. Second, because they are professional, their reputation is always on the line. If they provide bad advice, they won’t be your advisor for very long. Thirdly, external advisors often have perspectives from other organizations that can be helpful for context and understanding the market’s response to a particular cybersecurity matter. Conversations about cybersecurity in the boardroom are crucial to enable Board members, company management, and information security personnel to work together to implement a more effective cybersecurity program. Bringing in an independent outside advisor will ensure those conversations are unbiased and intentional regarding the overall cyber health of the organization.

We’ve all heard the phrase, “It’s not a matter of if, but when…” and in cybersecurity, the saying holds true. The Board is likely aware of the impact a cybersecurity incident has on other organizations; they see the news headlines. However, does your company’s current Board makeup have the expertise to quickly contextualize that information to your organization and then support a path forward? Properly addressing cybersecurity incidents like ransomware requires an experienced cybersecurity professional to ensure the right “things” are considered and properly addressed.

How LBMC Can Help

Bringing in the right professional to be your cybersecurity board advisor may soon be a requirement. A new SEC ruling proposes an adjustment to a reporting form to “[r]equire disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.” Additionally, considering President Biden’s EO# 14028, “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely… to foster a more secure cyberspace.” The U.S. government is clearly setting the stage to require U.S. companies to appropriately address their cybersecurity risks and the impacts they pose to the U.S. In the near future, companies will likely have to have either cybersecurity expertise on the board or supporting the board. Many companies are taking this opportunity to demonstrate to stakeholders their commitment to protecting data by voluntarily bringing in an outside cybersecurity advisor.

LBMC’s approach to risk assessments, penetration testing, and cyber incident response is based on our team’s many years of experience leading security functions, addressing risks, and consulting on IT security for companies of all sizes and industries. The stakes are high, and our team has been on both sides of the desk. We partner with companies to ensure there is an understanding of the challenges and security solutions that work for each organization’s unique circumstances. To learn more about how LBMC can partner with you to help you in understanding your cybersecurity risks or be your Cybersecurity Board Advisor, reach out to us today.