Cybersecurity risk continues to intensify. The acceleration of artificial intelligence (AI) and digital strategies, the increasing sophistication of hacking and ransomware attacks, the war in Ukraine, and ill-defined lines of responsibility – among users, companies, vendors, and government agencies – have elevated cybersecurity risk and its place on board and committee agendas.
Boards have made strides in monitoring management’s cybersecurity effectiveness. For example, some have greater IT expertise on the board and relevant committees (although that expertise is in short supply). Other efforts include company-specific dashboard reporting to show critical risks and vulnerabilities; assessing cybersecurity talent; weighing vulnerabilities and emerging threats; war-gaming breach and response scenarios; and discussions with management on the findings of ongoing third-party risk assessments of the company’s cybersecurity program. Despite these efforts, the growing sophistication of cyber-attacks point to the continued cybersecurity challenge ahead.
Boards should monitor regulatory developments such as the EU Cyber Security Act and the Digital Operational Resilience Act (DORA). The Cybersecurity Act strengthens the EU Agency for Cybersecurity (ENISA), grants it a permanent mandate, and gives it more resources and new tasks. It also introduces an EU-wide cybersecurity certification framework for ICT products, services and processes. Through DORA, the EU aims to establish a comprehensive and unified digital framework for financial institutions, by aligning today’s (limited) rules on information and communication technologies (ICT) governance, better managing ICT risk and incident reporting, and eliminating gaps in information sharing, risk management and digital testing.
While data governance overlaps with cybersecurity, it’s broader and includes compliance with industry-specific privacy laws and regulations, as well as privacy laws and regulations that govern how personal data – from customers, employees, or vendors – is processed, stored, collected, and used.
Data governance also includes policies and protocols regarding data ethics – in particular, managing the tension between how the company may use customer data in a legally permissible way and customer expectations as to how their data will be used. Managing this tension poses significant reputation and trust risks for companies and represents a critical challenge for leadership. To oversee cybersecurity and data governance more holistically:
- Insist on a robust data governance framework that makes clear what data is being collected, how it is stored, managed, and used, and who makes decisions regarding these issues.
- Clarify which business leaders are responsible for data governance across the enterprise – including the roles of the chief information officer, chief information security officer, and chief compliance officer.
- Reassess how the board – through its committee structure – assigns and coordinates oversight responsibility for the company’s cybersecurity and data governance frameworks, including privacy, ethics, and hygiene.
An increasingly critical area of data governance is the company’s use of AI to analyze data as part of the company’s decision-making process. Boards should understand the process for how AI is developed and deployed.
- What are the most critical AI systems and processes the company has deployed?
- To what extent is bias – conscious or unconscious – built into the strategy, development, algorithms, deployment, and outcomes of AI-enabled processes?
- What regulatory compliance and reputational risks are posed by the company’s use of AI, particularly given the global regulatory focus on the need for corporate governance processes to address AI-related risks, such as bias and privacy? How is management mitigating these risks?
Many directors may be uncomfortable with responsibility for overseeing AI risk because of their lack of expertise in this area. However, boards need to find a way to exercise their supervision obligations, even in areas that are technical, if those areas present enterprise risk, which is already true for AI at some companies. That does not mean that directors must become AI experts, or that they should be involved in day-to-day AI operations or risk management, but directors at companies with significant AI programs should consider how they will ensure effective board-level oversight with respect to the growing opportunities and risks presented by AI.
Also read: Responding to a cyber-attack