Environmental, Social & Governance Briefs

On Governance: Government Relations Expanding Role in Cybersecurity Risk

September 10, 2018

On Governance is a series of guest blog posts from corporate governance thought leaders. The series, which is curated by the Governance Center research team, is meant to serve as a way to spark discussion on some of the most important corporate governance issues.

The corporate Government Relations (GR) function is an increasingly important stakeholder in the evolution of the public-private approach to cybersecurity. The recent enactment of the General Data Protection Regulation (GDPR) in Europe emphasizes the critical role that regulation plays in the private sector approach to cybersecurity and data privacy. 

In February of this year, NTT Security and I spoke with the members of The Conference Board’s Government Relations Council on this issue. Here are the main points that were discussed around the convergence of government relations and cybersecurity risk. 

The GR function typically takes primary responsibility for communications with government for the purpose of interacting with the legislative process throughout the policy process on matters that impact the organization. As highlighted by GDPR, a flurry of regulatory activity has put cybersecurity firmly on the agenda of GR professionals, as regulators are just getting started on this issue. 

Regulation almost always lags risk. This is glaringly apparent in cybersecurity given how quickly the cybersecurity threat landscape moves relative to the regulatory process. U.S. regulators however are starting to focus on these issues.  

SEC Commissioner Robert Jackson Jr. said in August, “We know what happens when companies are breached. And what happens is millions of Americans’ data are lost or stolen or used against them in a way that we just can’t accept as a nation.” Cybersecurity guidance issued by the SEC in February highlights timely investor disclosure, insider trading and a strong internal controls environment as SEC priorities. The digital tone at the top of the SEC is clear that cybersecurity is a primary focus. 

This requires a more proactive approach from the private sector towards responsible cybersecurity policy which falls squarely on the corporate GR function.  

As regulators gain deeper understanding of the real threat and risks of cybersecurity, they recognize this issue as one with both national security consequences and public interest ramifications. 

During congressional meetings for proposed legislation S. 536 (The Cybersecurity Disclosure Act of 2017), Sen. Jack Reed, D-RI, posed the following question: “I think shareholders should be aware of what their investment —or their company is doing in terms of cybersecurity. And it leads to the question that I think a lot of people are asking now: Are companies at the proper level focusing proactively on avoiding major and costly cybersecurity attacks?”

If the reality or perception remains that companies are not adequately addressing the cybersecurity risk issue, legislators will put policy in place that forces corporations to the forefront of accountability through disclosure, penalties, standards, incentives, or any combination thereof, to address the issue. Moreover, it’s not just the US federal government actively legislating these issues, The National Conference of State Legislatures reports that 14 US states have already enacted 31 bills so far in 2018.  

Here’s what we believe is reasonable to expect in cybersecurity regulation moving forward:

• Much more regulation, across multiple levels of government;
• A legislative preference on corporate disclosure and accountability;
• More significant private sector penalties, both civil and criminal;
• More bi-lateral or multi-lateral cooperation between nation states;
• A government-led evolution to a coordinated public-private approach;
• Segmentation of policy to governance, systems, data and capabilities; and
• Nation state cybersecurity standards and dedicated regulatory enforcement.

Proactively engaging in cybersecurity policy formulation poses several unique challenges for the corporate GR function beyond resource constraints and specific domain knowledge on these issues. They include: 

• There is no global policy body: Cybersecurity risk has no boundaries, while policy setting does. This puts a very large burden on GR to engage and understand a global or even national policy approach where there are federal regulations, as well as state specific regulations in the US.    

• Policy doesn’t mean protection: The lag between policy and risk is only growing. So, while GR has a role to play in policy, policy won’t keep up with the leading edge of the risk landscape. We believe this will change the nature of regulatory policy to an accountability focused mandate that puts the burden on the private sector, which increases the importance surrounding early involvement in the legislative process.

• Tragedy of the common risks: Risks are often shared, mitigations aren’t. The weakest link theory of cyber risk ensures that a supply chain or digital ecosystem is only as secure as its weakest link. Does this place a disincentive on individual organizations for remediation, policy engagement or an undue burden on larger companies? We believe that it also portends an eventual regulatory requirement of a generally accepted cybersecurity standard.

• Hackers are better than you: Hackers are organized, efficient and find weakness. This a battle being fought from behind, regulators know this, and we again think this will contribute to a regulatory bias of putting the burden on the private sector to address this issue. 

• Policy free-riders paradox: Big companies usually bear a greater cost around policy engagement; because they have the resources and more at stake. However, their risks are heavily influenced by weaknesses across their supply chain. How will the few able to engage in policy, support and represent the needs of the many and collective risk in the policy process?  

There are significant challenges in cybersecurity risk management that extend well beyond one organization or a simple policy solution. Responsible and effective cybersecurity policy requires a strong and coordinated private sector approach to advocacy that puts a heavy burden and responsibility on the GR function. 

Our recommendations and emerging leading practice observations for GR engagement in the cybersecurity process include: 

• Mapping the global and local cyber regulatory environment to your business;
• Conducting a cyber-legal assessment to identify and prioritize key risks;
• Proactively engaging key government agencies and embedding resources in central agencies to be a resource and engage early in the policy process;
• Looking for help from industry associations or other groups who can help with the collective responsibility and risk issues;  
• Engaging GR with the board level cyber governance agenda. 

Cybersecurity governance and the broader issues around digital governance are emergent competencies in the corporate boardroom. The risks are real; there’s no denying them. Being proactive and building a coordinated enterprise approach to these issues is a good starting point and GR has a key role to play in the long-term effectiveness of cybersecurity risk management. 

The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board or the Governance Center.