It wasn't that long ago that the topic of cybercrime was met with boredom by board members, according to a former financial services CIO who currently serves on several corporate boards. These days, cybersecurity is an eye-popping (and nail-biting) topic around the boardroom table, and it's not just focused on members' fiduciary duties as they relate to risk management. "It is expanding to areas like impact to reputation, brand, market and investor perceptions, threats to revenue," he told me.
And in terms of cybersecurity regulations, such as the proposed Cybersecurity and American Cyber Competitiveness Act of 2013 and Cyber Intelligence Sharing and Protection Act (CISPA) of 2013, the conversation isn't so much about the cost of putting the proper security controls in place to meet such requirements, but about the cost of the indirect and direct damages caused by cyberattacks and cybercrime.
The CIO and the chief information security officer (CISO) often are the ones who make the board aware of such statistics as the average annualized cost of cybercrime: $8.9 million per year, with a range of $1.4 million to $46 million for the 56 U.S. companies surveyed by the Ponemon Institute in October 2012. These same companies reported 102 successful cyberattacks on their organizations, or 1.8 successful cyberattacks per company, per week. Yikes.
Of course, CIOs, CISOs and risk management officers have been banging the cybersecurity drum for years, but it wasn't until last year that the topic started to resonate loudly with board members and legal counsel.
In its December 2012 Law and the Boardroom Study, Corporate Board Member and FTI Consulting Inc. found that almost half of the 11,340 board directors surveyed said data security was a top concern, while 55% of the 1,957 general counsel respondents said poor data security was their top fear. When they were surveyed about security in 2008, only 28% of the directors and legal counselors had said it was a concern.
More on cybersecurity and cybercrime
Cybersecurity Act helps government more than business
Cybersecurity education and training
Homeland Security touts "cyber 911," new standards
Their second concern in 2012? Having the right measures in place or in the works to tackle corruption and regulatory investigations. Forty percent of the directors were also worried about managing the company's reputation. Sometimes a hack is merely humorous and harmless to a company brand, although Burger King probably didn't find the hack of its Twitter account funny. In other cases, a hack is more damaging, as T.J. Maxx found out: At the time of the fashion retailer's breach, "Avoid becoming the next T.J. Maxx" was a common headline.
Reputation, brand and revenue have always been under the corporate board's microscope, but cybercrime is subjecting reputation and revenue to a realm of unfamiliar threats. A down economy or a poor product review are threats that board members are used to correcting with their vast knowledge and experience; an invisible enemy is not. The CIO and the CISO will help guide boards' cybersecurity investments, but this might prove challenging: They'll be in the hunt to hire cybersecurity specialists at a time when government agencies like the Department of Homeland Security also are looking to hire 30,000 security experts to safeguard cyberspace.