Health system boards have been inundated over the last year with information and warnings about cybersecurity matters, and their related fiduciary obligations. Yet a new commentary published by the influential policy organization The Conference Board is noteworthy to the extent that it focuses specifically on the governance implications of the recent WannaCry and Petya/NotPetya ransomware attacks. The focus of the article is threefold.
First, it argues for the appointment of at least one person with “deep cyber risk management expertise” to the board of directors. This expertise is defined as including “knowledge of best practices, technologies and key cyber risk metrics.” As with other competency-based board appointments, the expectation is that the presence of at least one cyber expert will support board oversight and decision-making by assuring the presence of a “translation layer” between the cyber risk expert and other board members. This argument is supported by reference to various legislative and regulatory initiatives seeking broader board disclosure of its cybersecurity awareness.
A second argument is to assure the delivery of appropriate cybersecurity information to the board, including a broad-based understanding of key concepts. The author points to The Conference Board’s Cyber-Risk and Security Management Council as a useful resource. In this regard, boards should also be aware of the NACD’s 2017 Director’s Handbook on Cyber-Risk Oversight, which is intended to support board members of public companies, private companies and nonprofit organizations of all sizes and in every industry sector. A third argument is to assure the delivery of appropriate levels of cyber-risk-related information to the board, as well as the implementation of effective cyber-risk reporting and communication practices through the chief information security officer (CISO).
In the current environment, there is a significant concern that governing boards are saturated with cybersecurity information and proposed solutions. That being said, the recent ransomware attacks provide an opportunity for the general counsel, teaming with the CISO, to assure that cyber-risk issues are properly addressed at the board level.