Challenges in governing cyber risk management

In a recent post, Addressing cyber threats couldn’t be more important, I described the sheer scale of the cyberthreat facing financial institutions. The threat could not be more palpable.

Boards of directors play a key role.

I recently had the pleasure of facilitating a discussion at the SINET Innovation Summit between directors of major firms in the US and abroad on the challenges boards face in overseeing cyber risk management.

Three main issues stood out:

1.      Digital immigrants vs digital natives: It is too easy to say the challenge at the boardroom is generational: those governing companies are from a different generation from those managing the business or directors don’t understand millennials. Such statements trivialize the challenge. If anything, we are talking about micro-generational challenges – our 10-year old interacts with technology differently and more fluidly even than our 16-year old – never mind how different they use or understand technology compared to me.

One director expressed the challenge clearly – those governing and managing firms today are digital immigrants; they didn’t grow up with technology at school or for the first 20 or 30 years of their careers. Even when they did experience IT-related issues, they assumed it was the role of the IT team to address them. If they had a role, it was finding funds to make the issue go away.

Cyber is that much more challenging – it doesn’t go away. It simply evolves and becomes ever-more challenging and pervasive. Those that get cyber are the digital natives – they have grown up in an era of technology, and their expectations have been shaped by that context. They understand more access may mean more threat – but, nonetheless, they expect and want access, and want their needs catered for, ideally in a tailored way, but always quickly.

In governance terms, this means middle management – those from the Xennial generation (google it) and those born afterwards have to translate cyber and technology challenges into ones digital immigrants understand. Communications have to be plain English. Avoid techno-babble – as one director put it bluntly, he assumes executives who rely heavily on technical terms or acronyms are not secure in their role, and can’t translate their issues into business terms. Remember, only 12% of directors identify IT as a skill they bring into the boardroom.[1]

2.      Cyber, at its basic level, isn’t so complicated: You can debate with cyber professionals for hours as to whether cyber is a truly unique risk. It can cause the complete shutdown – maybe even failure – of a firm almost instantaneously. The threat is ever-evolving. It can’t be measured. The bad actors are well funded and persistent. It’s a national-security issue. And so on.

In some ways, these statements have some truth to them. The risk is relatively distinct – few risks are truly life-threatening – yet, for banks, a lack of liquidity or loss of confidence has been shown to have those characteristics. The cyber-threat does evolve, but so too does the way risk overall is promulgated and dispersed across financial services and beyond. Cyber is hard to measure, for sure – but so, too, is conduct, reputational, strategic, vendor, and many other nonfinancial risks. Yes, it’s a national security issue – but the last financial crisis showed that, when it comes to financial services, anything that could bring down the industry has massive domestic and global ramifications.

Directors look at cybersecurity with the same pragmatism, as was shown by the comments by the directors on our SINET panel. Boards approach cyber similar to other complex risks. The governance questions are similar: Do they have trust in their management team to effectively manage cyber risks? Does the management team view cyberrisks as an enterprise risk that needs to be embedded across the organization (what directors want to hear), or do they approach it as an IT issue only (what directors do not want to hear)? Is management considering cyberrisks created by vendors, and if so how they are managing those risks? Does management understand the firm’s cyber threats and vulnerabilities? Do they know the firm’s most important assets – the crown jewels – and are they protecting them more than others? Is the cyber program well resourced?

On measurement, almost every director I’ve spoken to about cyberrisks wants better cyber reporting. The metrics they receive routinely – or the subset of metrics in their risk-appetite statement that cover cyber – seem highly limited and don’t link well to threats and vulnerabilities identified by management. There rarely seems to be a strong logical grounding on why the metrics used are the most important – rather, they seem to be ones that are simply readily available and often more like performance versus risk metrics (think of one of the most common cyber metrics – attacks successfully defended: even a 99% success rate is almost irrelevant if the 1% that gets in is the most dangerous).

One director recommended firms report to boards on trends. Take a simple metric that relates to the threat created by employees through phishing. Reporting on the percentage of employees who have been phished may seem too basic, but analyzing it over time speaks to a host of issues, such as training, awareness, firewall defenses, and more. The trick is finding metrics that cover a number of risks, and ensuring boards understand what those metrics represent and can use them to provide more effective challenge of management.

3.      Getting differing perspectives into the boardroom makes a real difference: Not so long ago, boards relied heavily – perhaps exclusively – on the chief information security officer (CISO) to discuss cyberrisks facing their firm, and how well they are addressing them. The CISO – perhaps supported by their (typical) boss, the CIO – led board and committee engagement.

Today, the CISO is still important, but she or she is now more like the first-among-equals, not the sole source of insight. As financial institutions build out their three-lines-of-defense cyber risk management approach, the board and its committees now want to hear from others in the first line – notably how cyber is being embedded in the innovation agenda, into novel technologies, such robotics automation and distributed ledger technology, as well into client-facing portals and online access points.

From the second line, boards want to hear from the chief risk officer or operational risk leader on their independent view on the firm’s cyberrisk profile, and from compliance on how well the firm is implementing cyber requirements, as well as hearing from their brethren in privacy and information security on their approach to protecting customers’ confidentiality.

The view from the third line – internal audit – is also important. Cyber is now covered in many audits, so internal audit has good visibility into the integrity of firm’s overall cyber risk management framework, how well it is being implemented, and how well the firm is keeping up with leading industry practice.

A SINET conference attendee asked how boards validate they are getting a clear view on cyberrisks. Doesn’t having the first-line cyber leader report to the CIO mean the CISO holds back when addressing the board? Directors said any reporting line has challenges. The trick is spending time alone with the cyber leader, asking if there issues she or he wants to bring to the board’s attention, and probing whether their group are getting the right resources and management attention they need to be successful.

Directors want to hear external views. One director spoke of bringing in third parties into their board-level technology committee. Another spoke of attending external events to stay current.

Cyber governance plays an ever-important role in firms’ evolving approaches to cyber risk management. Directors know cyber matters. Management now has to engage directors more effectively, in ways that avoid confusing directors with techno-babble, and by bringing more perspectives from across the firm – and be open to outside perspectives – to discuss cyber trends and how well the firm is protecting itself. Only then can boards provide the effective challenge we all expect of them.

Visit for more insights on cyber risk governance: www.ey.com/fscyber

The views expressed in this post are mine and do not necessarily represent EY’s position.

[1] Spencer Stuart/Corporate Board Member, What directors think, May 2018.