Enterprise cyber risk management (ECRM) is no longer just a principle for your security and compliance teams. It has a direct impact on the business, and if you’re an executive or board member, ignoring ECRM could have real-life consequences—beyond operational resilience for your business.
The Federal Trade Commission (FTC) recently issued a decision where it found an executive personally liable for a major data breach. Earlier in 2023, the FTC announced it had finalized an order with Drizly, an online alcohol marketplace, for a breach that exposed personal information of 2.5 million consumers.
The order specifically included the company’s CEO and indicated that both the company and the CEO were aware of two potential security vulnerabilities years before the breach and had not taken corrective action. On top of that, the FTC found that Drizly had made claims that it had appropriate security measures in place, which it didn’t. The FTC also said the company stored sensitive data on an unsecured platform without monitoring security threats.
As part of its corrective actions, the FTC mandated the company destroy unnecessary personal data it collected, limit future data collection, and implement a “comprehensive information security program.”
And because the CEO is included in the order, the expectation is that the order will follow that CEO if he moves to other companies. He will be required to implement an information security program if any of those future companies collect consumer information of more than 25,000 individuals and if he is a majority owner, CEO, or senior officer with information security responsibilities.
Keeping an Eye on the SEC’s Proposed Changes
It’s not just the liability to board members and executives advancing a movement for engagement in ECRM strategy—in 2022, the SEC proposed new changes and regulations that would significantly increase reporting and disclosure requirements around cybersecurity and ECRM for publicly traded companies.
While the SEC regulations apply to publicly traded companies, they should be considered by all organizations, especially healthcare providers and their business associates. While many healthcare delivery organizations are not-for-profit, many are part of public companies’ supply chains and the national critical infrastructure. Further, the SEC’s proposed changes are indicative of a bigger trend in the rise of cyberattacks, of which healthcare saw the biggest increase in 2022 over any other industry.
Getting—and Keeping—ECRM in Front of Your Board
Boards and executives have many responsibilities, so it can be challenging to get them to focus on ECRM issues, especially when they may not have previously thought about it as critical to operational resilience.
It’s important for healthcare leaders to have a realistic understanding of what the board can and can’t do, including understanding the potential information gaps that exist between the board and executives and employees tasked with the day-to-day responsibilities of cybersecurity and risk management.
When engaging the board to build support for your ECRM program, the don’ts are as important as the do’s. Avoid dumping your organization’s vulnerability data in the middle of the boardroom; it’s daunting and creates confusion. Instead, approach the board by focusing its attention on areas where their responsibilities are most important, for example, advancing the organization’s strategy, goals, and objectives.
Managing cyber risk requires planning for and identifying adverse events, where they are likely to happen, and what the impact would be on the organization. It’s important to understand that it’s the board’s job to look at all the risks and see how they’re linked.
For example, your organization could face a cyber event with serious financial consequences. That, in turn, could have serious talent acquisition consequences. Those and other consequences can compound and negatively impact operations at multiple levels.
“You’re really fighting for mind-share when you walk into the room,” says Bob Chaput, Clearwater Founder and Executive Chairman and author of the book Stop the Cyber Bleeding, which was adapted by The Governance Institute as a toolbook to help healthcare board members and senior executives better understand how to support and advance ECRM programs in their organizations. “The good news is the board is worried about risk. The not-so-good news is that they have lots of other things on their minds. So, if you go forward, keep that in mind.”
How to Educate Your Board about ECRM
There is no one-size-fits-all strategy for educating your board about ECRM.
You may find it helpful to build board engagement by talking about current ECRM events, which can help demonstrate what’s happening in your industry, what’s going on from a regulatory perspective, what your competitors have experienced, and what your organization can learn from these events. You can do this by drawing on experts within your organization or working with outside consultants who can share ECRM experience from across the industry and with like organizations.
For example, consider:
- Internal incidents
- High-profile external events
- Significant global, federal, state, or local regulatory changes
- ECRM-related competitor moves
- Significant changes to the threat landscape
It’s important to build upon this education to move your board and executives toward becoming ECRM allies.. To do so effectively, both you and your board should understand that ECRM is not a one-and-done conversation. It should be dynamic and ongoing.
Here are some suggestions to help engage with your board, drawing on recommendations from the National Association of Corporate Directors and Internet Security Alliance:
- Be relevant for your audience (for example, are you speaking to the full board or working with a key committee?)
- When sharing information, present it in a reader-friendly way (for example, summaries, callouts, graphics, and other visuals)
- Stay away from technical jargon
- Communicate insights, not just information, to convey meaning to your board
- Explains changes, trends, and patterns over time
- Show relative performance against peers, industry averages, against relevant external indicators (for example, maturity assessments)
- Demonstrate impacts on business operations, costs, market share, etc.
- Be concise, and don’t overload them with information
- Encourage discussion and dialogue
Advancing Your ECRM Program with Board Support
As you build board engagement and mature your program, it’s important to periodically step back and ask: “Are we getting better at enterprise cyber risk management?”
To help gauge and communicate progress, implement an ECRM framework and evaluate its maturity over time.
Routinely talk with your board about:
- The strategic ECRM objective description, including costs and expected benefits
- Enabling objectives, including target completion date, expected completion date, and current status
- Key accomplishments toward achieving this objective during the last reporting period
- Planned accomplishments for the next reporting period
- Key issues, risks, and barriers that require board attention
- Key discussion areas for this update
Want to dive deeper into how to build board support for your ECRM program, including a closer look at how your board should think about your organization’s risks, risk treatment, and risk appetite? Check out, “How to Engage Your Board and Investors in Productive Dialogue About Cybersecurity” on-demand.