3.6.23 > Daniel Cunningham

Corporate boards, even in technology companies (see SolarWinds), have been slow in evolving to govern the significant risks of digital business environments; often leaving cybersecurity oversight to the audit committee. Digital disruption and cybersecurity threats, however, continue to evolve rapidly. Cybercrime caused $6 trillion in damage in 2022. [1] That number is predicted to reach $8 trillion in 2023 and $10.5 trillion by 2025. [2] If cybercrime were a country, it would have the third largest economy in the world. [3] Additionally, a company’s reputation can be severely damaged, resulting in a loss of customers, partners, and investors. Aside from the upcoming SEC rule changes, there are two actions boards can take quickly to reduce the costs cybercrime: creating a separate cyber and technology committee and adding qualified technology experts to the board.

 

Image 1: A breakdown of global cybercrime damage costs predicted by Cybersecurity Ventures in 2023 [2]

A Separate Cyber and Technology Committee

Deloitte describes the audit committee as having responsibility for overseeing financial reporting and related internal controls, risk, independent and internal auditors, and ethics and compliance. [4] As noted above, there is certainly significant financial risks in cybersecurity, and current SEC rules regarding material cybersecurity risk disclosure seem appropriate. However, there are several compelling reasons to create separate cyber and technology committee.

First, any cybersecurity practitioner will tell you that compliance does not equal security. Current compliance requirements in cybersecurity often only look to ensure that some processes, procedures, and controls are documented and implemented. Rarely to audits truly look to the effectiveness of such documents or controls.  Ensuring there is a firewall in place may meet audit requirement, but if the only rule is wide open you are certainly not secure. Having a cyber and tech committee can help ensure control effectiveness.

Second, it allows for more efficient governance over the very different functions of audit/financial strategies and cyber and technology strategies. Some of the benefits of board committees are specialization, efficiency, and accountability. A cyber and technology committee will lead to better overall board efficiency by being accountable to this specialization and allowing other committees to focus on their core competencies.

Third, it communicates to all employees, investors, and stakeholders that cybersecurity is a priority at the highest levels of the organization. Cybersecurity is not just an IT issue; it is a business issue. A separate cyber and technology committee can help to ensure that cybersecurity is integrated into the company’s overall strategy and is given the appropriate level of priority.

Lastly (though this is not a complete list), a separate cyber and technology committee can help to ensure that the organization has effective controls in place to protect against legal liability. Boards are increasingly under pressure of being held liable for losses related to cybersecurity incidents.  A separate cyber and technology committee, with clear charter and direction, can demonstrate governance obligations are being met.

Adding Qualified Technology Experts to the Board

Of course, to fully take advantage of the benefits creating a separate cyber and technology committee may deliver, boards should seek to add qualified technology experts to their ranks. A qualified technology expert can bring a wealth of knowledge and expertise to the boardroom, helping to ensure that the company stays up-to-date with the latest trends and developments in the industry. Here are some of the key benefits of adding qualified technology experts to corporate boards:

First, improved decision-making. By having a technology expert on the board, companies can make more informed decisions about technology investments, development, and implementation. They can provide valuable insights on how technology can improve business processes and increase efficiency.

Second, better risk management. With the rise of cybersecurity threats and the increasing importance of data privacy, having a technology expert on the board can help companies better manage their technology-related risks. They can provide insights into potential vulnerabilities and suggest strategies to mitigate them.

Third, increased innovation. Technology experts can bring new ideas and perspectives to the table, helping companies stay ahead of the curve and remain competitive in their respective industries. They can help identify emerging trends and technologies that could have a significant impact on the company’s future growth and success.

Fourth, greater diversity. Adding qualified technology experts to corporate boards can also help increase diversity, both in terms of skills and backgrounds. This can lead to more balanced decision-making and a more holistic understanding of the company’s operations and challenges.

Lastly, better overall performance.  Companies with digitally savvy boards had 38% higher revenue growth, 34% higher ROA, and 34% higher market cap growth than companies with non-digitally savvy boards. [5]

 

Today’s Contributor

Dan Cunningham provides direction to and is responsible for coordinating resources for 3M’s incident response teams. For the MN National Guard he plans cyber engagements with the Croatian Armed Forces. Commissioned a Second Lieutenant in 2002, Lieutenant Colonel Cunningham has commanded and the company level, and was the first commander of MN’s Cyber Protection Team. He has completed deployments to Bosnia in 2003-2004 and Iraq in 2006-2007 and 2009-2010. His most significant award includes the Bronze Star Medal with a bronze oak leaf cluster.

He earned a Bachelor of Arts in Mathematic from St. Olaf College, and holds numerous industry certifications. Dan is currently completing the Master of Science in Security Technologies program at the University of Minnesota’s Technological Leadership Institute.