Cyber risk climbs the organizational priority ladder every year, but it accelerated in a unique way with the pandemic conditions of 2020. The World Economic Forum’s newly-released principles for board governance of cybersecurity offer a base of best practices for dealing with this new reality, with a new element being a strong emphasis on organization-wide implementation of cybersecurity culture.
The report identifies six core principles that the WEF believes are items of the most immediate importance, with an eye toward expanding them into a research agenda at some point in the near future. The ultimate goal is a cohesive approach to cyber risk governance that can be applied globally. For the moment, the project supports each of these core principles with a basic framework aimed at facilitating immediate implementation.
Principles of board governance established to tackle an increasingly digital world
The WEF research team, composed of members of the Internet Security Alliance (ISA) and drawing from surveys conducted among the National Association of Corporate Directors (NACD), cautions that business leaders need to immediately begin viewing cyber risk as a “potentially existential” concern. Both consumers and government regulators are now judging companies by how tight of a security ship they run and how well they protect sensitive personal information that is entrusted to them.
The WEF’s ideal vision is a “cohesive, global, cross-border approach to cyber risk governance.” That doesn’t exist as of yet, but the report is intended as a first step. The most important core element, convincing board directors that cybersecurity should be a priority for improvement in the immediate future, appears to already be a majority opinion with 60.5% of NACD respondents classifying it as “important” or “very important.” Additionally, 70% view cyber threats as a “strategic, enterprise risk.”
Respondents to the World Economic Forum Global Risk Report 2021 listed “cybersecurity failure” as the fourth most pressing business risk in the near term (0 to 2 years), behind only infectious diseases, livelihood crises and extreme weather events. Rapidly developing and changing cybersecurity threats were also #4 on the list of expected trends that will have the greatest impact on companies in the coming year.
The six board governance principles begin with the suggestion that cybersecurity be viewed as a strategic business enabler rather than merely an “IT issue.” WEF frames cyber risk, which has now increased to the point that it is virtually omnipresent, as a continual opportunity to both preserve and create value. Key board governance considerations here include regular inclusion of cyber risk considerations in board meetings, ensuring that a board committee has oversight of cyber issues and asking executives to identify opportunities to use cybersecurity as a market differentiator or business driver.
The second board governance principle is developing a clear understanding of economic drivers and impact of cyber risk. Board governance suggestions here include regularly engaging in scenario planning that models trade-offs between digital transformation and cyber risk, and establishing a consistent risk quantification framework for calculating likelihood and economic impact of various cybersecurity scenarios.
The third board governance principle is to align cyber risk management with business needs. This can be done by requiring the C suite to report to the board on the cybersecurity implications of their activities and to develop tested plans for anticipated events, and by requiring management to provide the board with road maps of the company’s determinations of risk materiality through the lens of regulatory obligations.
The fourth board governance principle is to ensure that organizational design supports cybersecurity. Suggestions in this area include setting expectations that cybersecurity receives adequate funding and staffing, cultivating a cybersecurity culture that extends beyond the IT department and appointing an accountable officer responsible for coordinating organization-wide cyber risk strategy.
The fifth principle is to integrate cybersecurity expertise into board governance. This could mean regular training for board directors, soliciting regular reports from third-party advisors / assessors, or periodic audits among other possibilities.
The final suggested board governance principle is to encourage systemic resilience and collaboration. The report suggests the creation of peer networks for sharing best practices that extend beyond individual organizations, putting similar collaboration plans in place and sending management to participate in industry groups and knowledge-sharing platforms.
Cyber risk requires increased funding, attention and collaboration
While there is much more subtlety to the case than this, you can boil the report down to a fundamental argument: boards need to pay more attention to cybersecurity and pay more forward in the way of resources and staffing to keep pace with what is an exponentially increasing risk. However, the one entirely new element here (in the sense of not being suggested in prior WEF publications) is the emphasis on inter-organization collaboration and a general refocus on cyber risk as a systemic and pernicious threat that manifests in very similar ways for all sorts of different businesses. Cyber risk must not only move up the ladder from technicians to an active role among boards of directors, but management must engage on the topic with the management of other organizations to improve outcomes.