In late 2018, I had the opportunity to discuss ‘Cyber in the Boardroom” with Kim Nash from the Wall Street Journal. True, many still address cybersecurity in the audit committee. However, many are reconsidering this approach. Given the importance of cybersecurity to strategy, digital transformation, and risk, many boards want to elevate and expand the discussion.
2019 is the right time for many boards to consider the same.
Below are excerpts from the discussion with Ms. Nash. A full copy of the piece is in the resource section on this site.
Boards are Creating Cybersecurity Committees to Watch for Threats, Assess Company Defenses
Wall Street Journal Pro Cybersecurity, Nov. 28, 2018. By Kim S. Nash
Corporate boards are increasing oversight of cybersecurity as damages and regulatory pressure stack up after major breaches. A handful of boards are creating committees specifically dedicated to scrutinize cybersecurity.
These cyber committees concentrate expertise on evaluating defensive and offensive efforts by executives and on elevating the topic at general board meetings. The committees are rare at large public companies. Among the 50 biggest U.S. public companies by revenue, General Motors Co.’s board is alone in running a cybersecurity committee, according to a WSJ Pro Cybersecurity review of regulatory filings.
A designated committee for cybersecurity can assess how company leaders protect data and systems, as well as how well they anticipate potential threats, said Jim Pflaging, chairman of a board-level cybersecurity committee at SailPoint Technologies Holdings Inc.
“We’re hearing from the SEC that cybersecurity is the number one issue affecting corporate governance today. Those are pretty strong words,” said Mr. Pflaging, managing partner at Cynergy Partners Inc., which advises boards on cybersecurity and risk. SailPoint, which makes identity management tools, created its cyber committee in May.
Since the Securities and Exchange Commission in February published guidance for companies to report more details about cybersecurity threats, many companies have disclosed more information about how
they manage security. This has prompted directors to question closely senior technology leaders at board meetings, said James Lam, president of board advisory firm James Lam and Associates, and a director at E*Trade Financial Corp. since 2012.
General Motors formed a cybersecurity committee in November 2017 to oversee overall cyber risk in operations. Also an impetus, according to GM’s most recent proxy filing: The company’s moves into self-driving cars. The new business, the board noted, must entail protection of GM’s products, customer data and intellectual property.
Linda Gooden, a GM director since 2015 and former executive vice president at Lockheed Martin Information Systems and Global Solutions Inc., chairs the new cyber committee. Other members are Adm. Michael Mullen, former chairman of the U.S. Joint Chiefs of Staff; and Thomas Schoewe, former CFO of Walmart Inc.
In its two meetings as of the filing of its proxy statement in April, the committee had reviewed GM’s key cybersecurity risks and programs and approved a ransomware policy, among other tasks.
The GM board transferred cyber oversight from its audit and risk committees. But audit and risk are by far the most common committees that handle cybersecurity matters. Some companies recently have added or expanded responsibilities for security there, including Ford Motor Co. and CVS Health Corp. FedEx Corp. in 2000 was early among large public companies to create a committee dedicated to technology. Duties of its Information Technology Oversight committee include cybersecurity.
Tighter focus by directors in a dedicated cyber committee may help identify threats more quickly, said Mr. Pflaging, who joined SailPoint’s board in 2015. Discussions won’t be curtailed to fit in other topics during meetings, he said.
A cyber committee can help ensure that executives trying to transform their business models with artificial intelligence, blockchain or other emerging technology pay attention to related threats, he said. “Every business can and should stop to reassess how do we transform that business. Much fewer make the same leap to [determine] how to do it securely.”