With Most Fortune 500 Companies Unprepared for New SEC Cyber Regulations, What Should Their Board of Directors Do? A Q&A with Dr. Herb Lin, Senior Research Scholar for Cybersecurity at Stanford University

Dr. Herb Lin, senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution at Stanford University.

Dr. Herb Lin is a senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. In 2016, he served on President Obama’s Commission on Enhancing National Cybersecurity. He is co-author of "Bytes, Bombs, and Spies-The Strategic Dimensions of Offensive Cyber Operations" published by The Brookings Institution Press. He received his doctorate in physics from MIT.

Q. With Fortune 500 companies accelerating their usage of emerging technologies such as generative AI to support their innovation goals, the risk of cybersecurity breaches continues to grow. In 2022, the global average cost of a data breach was $4.35 million, while the number was more than double in the United States, averaging $9.44 million. While such amounts might be considered rounding errors for global biopharmas, the magnitude becomes apparent given how publicly traded companies suffered an average decline of 7.5% in their stock values after a data breach, along with a mean market cap loss of $5.4 billion.¹ Coupled with the SEC's recent cyber regulations, why don't many C-Suites allocate enough resources towards these pain points?

Dr. Lin: To your point, the SEC’s recent cybersecurity regulations and talent management factors are two of the key reasons for inadequate resources being allocated toward this critical strategic theme. The SEC’s recent cybersecurity rules require publicly enlisted companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the company’s cybersecurity policies, procedures, and strategies.²

Given the complexity and broad expectations of these rulings, frankly most boards do not have the expertise to fully appreciate these demands and what needs to be invested to address these ongoing risks. For example, a recent Spencer Stuart U.S. Board Index pointed to the overall lack of technology expertise, especially cybersecurity expertise being added to boards on the S&P 500. Of the 456 new independent directors who joined S&P 500 boards in 2021, only 3.9% had experience leading a function such as cybersecurity, IT, software engineering, or data and analytics.³

Indeed, we also see very few chief information security officers (CISOs) with direct access to boards. Heidrick & Struggles’ 2022 Global CISO Survey indicates that in the United States, only 14% of all CISOs said they sit on a corporate board or both a corporate board and an advisory board.⁴ Given the underlying challenges of cybersecurity,⁵ CISOs need to have a seat at the (board) table and readers can hear my thoughts in greater detail via a recent podcast which I’ll share.⁶

Q. Given other potential competing resource needs that are being presented to executives, what are three pragmatic choices that readers should consider as they progress in 2024?

Dr. Lin: First, recognize that when C-Suites promote the importance of innovation in their organizations, they are also elevating cybersecurity risks. By its very nature, true innovation is disruptive and will require risk taking measures to address changes in existing people, processes, and technologies. These risks manifest themselves even as you read this article: Korn Ferry noted that there are efforts to hack US computers with Internet access roughly every 39 seconds.⁷

So, CEOs need to have CISOs with the fortitude to identify cybersecurity risks and potential remediation tactics that might very well delay the growth plans of the firm. Put differently, they need to realize that information security is more than just a service function for the company.

Second, precisely because addressing cybersecurity risks might negatively impact business plans, CISOs need to have some basic level of fluency with the business of the firm. All too often, CISOs are brought in as hired guns to “fix the cybersecurity problems of the firm” without any acknowledgment that business strategy might affect cybersecurity risks. CISOs must be able to recognize business goals as well as security goals if their advice is to be heeded.

In addition, they must be able to speak about risks and potential solutions in terms that other board members can easily grasp; it cannot be too technical. For example, the CISO might reference existing data points, such as “... Fortune 1000 companies have a 25% probability of being breached, and 10% of them will face multi-million loss. In smaller companies, 60% will be out of business within six months of a severe cyberattack.”⁸ Moreover, they might consider crafting a balanced scorecard with cybersecurity elements that were described in Keri Pearlson’s article in the October 2023 Harvard Business Review.⁹

Finally, boards can ask a simple but pointed question of their C-suites for insight into how the C-suite views cybersecurity as an essential aspect of business strategy (as opposed to something that is relegated only to operations): has the C-Suite ever changed a business goal or modified a business strategy because of cybersecurity considerations? If the answer is “no,” then it is pretty clear that the C-suite has not integrated cybersecurity into business planning. Moving forward, cybersecurity risks are only going to grow, and the new environment will require CISOs talking directly with the C-suite.

About the Author

Michael Wong is an emeritus board member of the Harvard Business School Healthcare Alumni Association.

References

1. Huang, Keman, Wang, Xiaoqing, Wei, William, and Madnick, Stuart, The Devastating Business Impacts of a Cyber Breach, Harvard Business Review, May 04, 2023
2. Zeijlemaker, Sander, Hetner, Chris, and Siegel, Michael, 4 Areas of Cyber Risk That Boards Need to Address, Harvard Business Review, June 2, 2023
3. Daum, Julie Hembrock, Hannon, Kate, Zakre, Eric T., Cybersecurity and the Board, Spencer Stuart, July 2022 https://www.spencerstuart.com/research-and-insight/cybersecurity-and-the-board
4. Aiello, Matt, Thompson, Scott, Randria, Max, Reventlow, Camilla, Shaul, Guy, and Vaughan, Adam, 2022 Global Chief Information Security Officer (CISO) Survey, Heidrick & Struggles, 2022
5. https://www.lawfaremedia.org/article/the-national-cybersecurity-strategy-breaking-a-50-year-losing-streak
6. https://a16z.com/podcast/a16z-podcast-cybersecurity-in-the-boardroom-vs-the-situation-room/
7. https://www.kornferry.com/insights/this-week-in-leadership/cybersecurity-leadership-2019
8. Zeijlemaker, Sander, Hetner, Chris, and Siegel, Michael, 4 Areas of Cyber Risk That Boards Need to Address, Harvard Business Review, June 2, 2023
9. https://hbr.org/2023/10/a-tool-to-help-boards-measure-cyber-resilience