Accountability for Cyber Risk Management: A Critical Imperative for C-Suite Executives and Board Members
(This article was originally posted on July 1, 2024, on my Enabling Board Cyber Oversight™ blog series as Accountability for Cyber Risk Management: A Critical Imperative for C-Suite Executives and Board Members)
It is wrong and immoral to seek to escape the consequences of one’s acts. — Mahatma Gandhi
Introduction
According to the Merriam-Webster dictionary, “accountability” is “the quality or state of being accountable, especially an obligation or willingness to accept responsibility or to account for one’s actions.” Hey, just like Gandhi said!
In today’s digital landscape, cyber risk management has become a paramount concern for organizations across all industries, but none more so than healthcare. The significant increase in data breaches and cyberattacks necessitates a shift in perspective, where C-suite executives and board members must take proactive accountability for their organization’s cybersecurity measures. The stakes are high, and the consequences of inaction can be devastating financially and reputationally, and in healthcare, a matter of life and death.
In a recent post, Thinking Clearly About Risk Assessments, I cited three root causes for the global, cross-industry chaos we find ourselves in with all the failed enterprise cyber risk management (ECRM) and cybersecurity efforts:
1. Risk illiteracy
2. Lack of C-suite/board accountability
3. Failure to appreciate the strategic value of ECRM
In that article, I addressed risk illiteracy. We’re long overdue for more cyber risk management accountability by the C-suite and board of directors. In this article, I’ll explore this challenge and suggest some solutions.
So, What’s the Problem?
The problem is that there are no consequences for ECRM and cybersecurity failures on the part of C-suite executives and board members.
Cyberattacks have surged in frequency and sophistication, targeting vulnerabilities in organizational systems. This alarming trend underscores the urgency for top-level accountability in managing cyber risks. Yet, we’ve not seen fines, penalties, criminal charges, or, for that matter, any consequences for the C-suite and board.
The Role of Executives and Boards
C-suite executives and board members are fiduciaries responsible for acting in the best interests of their organizations and stakeholders. This duty extends to ensuring the organization’s cybersecurity posture is robust and effective. The concept of duty of care, as it applies to cyber risk management, demands that these leaders be vigilant, informed, and proactive in their approach.
In Chapter 3 of Enterprise Cyber Risk Management as A Value Creator, entitled The Courts Are Picking Up the Cyber Pace, I discuss the so-called Caremark Standard and recent cyber cases that tend to tighten accountability by executives and directors. In the derivative lawsuit against Equifax, the former CEO was alleged to have personal knowledge of the cybersecurity inadequacies, leading to a landmark ruling where the claim against him survived a motion to dismiss.
Learn from Other Accountability Actions
I have experienced these three examples of how government actions have raised accountability for executives and board members during my career. I suspect there are others.
Banking Circular 177
In 1983, the Comptroller of the Currency, Administrator of National Banks, issued Banking Circular 177 (BC 177), entitled “Federal Banking Interpretive Issuances, Contingency Planning for Electronic Data Processing Support”. The agency revised it in 1987 to clarify the policy regarding the board’s accountability for contingency planning, a top security concern and control of the day. An excerpt from the 1987 policy is:
The Board of Directors of your bank annually must review and approve management’s assessment of:
Recommended by LinkedIn
This annual review and approval must be noted in the minutes of the Board of Directors and will be verified at each on-site review of your institution.
While BC 177 has been rescinded and replaced with more modern technology risk management guidance, the executive and board accountability requirement remains. In the case of Banking Circular 177, directors learned about business continuity and disaster recovery planning, started paying close attention to it, and started investing in it. At the time, I worked at GE as an operations manager commercializing GE’s internal Disaster Recovery Facility (DRF). It was like an industry was born!
Sarbanes-Oxley Act Of 2002, Section 302
Section 302 of the Sarbanes-Oxley Act (SOX), which addresses “Corporate Responsibility for Financial Reports,” is codified in the Electronic Code of Federal Regulations (eCFR) at 17 CFR § 240.13a-14. It effectively states that the CEO and CFO are directly responsible for the accuracy, documentation, and submission of all financial reports and the internal control structure to the SEC. More specifically, they must confirm that they accept personal responsibility for all internal controls and have reviewed them in the past 90 days.
When SOX was enacted, I was the EVP and CIO of Healthways, a $750MM publicly traded healthcare company. The CEO and CFO, my wife Mary Chaput, adopted a rejuvenated interest in our security and compliance programs. Budget dollars appeared overnight.
Yates Memo
The “Yates Memo,” officially titled “Individual Accountability for Corporate Wrongdoing,” was a directive issued by then-Deputy Attorney General Sally Yates on September 9, 2015. It aimed to make corporate criminal matters more personal by enhancing the Department of Justice’s (DOJ) efforts to hold individuals accountable for corporate misconduct. The Yates Memo intended to deter corporate wrongdoing by ensuring responsible individuals faced legal consequences, reinforcing ethical business practices. However, the memo faced criticism and challenges. In November 2018, then-Deputy Attorney General Rod Rosenstein announced revisions to the memo, relaxing some of its stringent requirements, signaling a shift towards a more flexible approach to handling corporate crime.
When the Yates Memo was first published, I was building Clearwater Security, then a HIPAA compliance and cybersecurity business. The legal community was buzzing about the Yates Memo paving the way for more HIPAA compliance and a new enforcement arrow in OCR’s quiver, etc.… nothing happened. Healthcare C-suites and boards did not pay any more attention to HIPAA compliance, ECRM, or cybersecurity due to the Yates Memo.
We Need a Dosage of Personal Accountability
Samuel Johnson said, “Depend upon it, sir, when a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully.” There’s nothing like a little personal liability to focus the minds of board members and executives. Until we hold executives and board members more personally accountable, most organizations will continue to pay lip service to ECRM, cybersecurity, and compliance matters.
C-suite executives and board members must be held personally accountable for these efforts. Their involvement and accountability ensure that ECRM and cybersecurity receives the attention and resources it deserves at the highest levels of the organization. When top executives are accountable, it sends a clear message that cybersecurity is a strategic priority, not just an IT issue, fostering a culture of security awareness throughout the company.
Personal accountability among C-suite executives and board members also mitigates risks associated with potential breaches. It ensures that they make cybersecurity decisions with the utmost care and consideration of the organization’s broader risk landscape. This accountability drives executives to stay informed about the latest cyber threats, invest in cutting-edge security technologies, and implement comprehensive employee training programs. Moreover, regulatory bodies and stakeholders increasingly expect senior leaders to take proactive stances on cybersecurity. Failure to do so can result in severe financial penalties, legal repercussions, and lasting reputational damage. Executives can better navigate these challenges by being directly accountable, ensuring the organization complies with regulatory standards and builds resilience against future cyber threats.
Other Internal Proactive Measures and Best Practices
To mitigate cyber risks and fulfill their fiduciary duties, executives and board members must adopt a proactive stance toward cybersecurity. This stance includes:
Conclusion
The increasing frequency and severity of data breaches and cyberattacks necessitate that C-suite executives and board members take direct accountability for their organization’s cybersecurity. The legal, financial, and reputational risks associated with data breaches make it imperative for top-level leadership to prioritize cyber risk management. By adopting proactive measures and integrating cybersecurity into their broader risk management strategies, executives and board members can protect their organizations from the potentially devastating impacts of cyber threats.
The courts’, regulators’, and legislators’ renewed interest in ECRM and cybersecurity is good news. We still need accountability at the highest levels of leadership. It needs to start with more government actions requiring personal accountability, tastes of what we saw in Banking Circular 177, Section 302 of the Sarbanes-Oxley Act, and the Yates Memo.
In addition to the educational content and actions recommended in this article, you may pick up a copy of Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage to learn more.
#riskmanagement #enterprisecyberriskmanagement #cyberriskmanagement #cyberriskilliteracy #boardcyberoversight #boardofdirectors
CEO & Co-founder at Kovrr | Cyber Risk Quantification
5moGreat article, Bob Chaput! For better or worse, as time has told, the C-suite/board is not going to take accountability without the proper 'sticks' in place. But when they do, there will also be an enormous amount of 'carrots.' Prioritizing cybersecurity and integrating it with the overall business mission inevitably makes the organization stronger, more resilient, and more successful. Plus, when regulating bodies make this line of accountability clear, CISOs can stop worrying about facing charges and start focusing on their jobs - we all know they have enough work as it is!