In today’s business environment, effective risk management requires a comprehensive approach to corporate governance with robust risk countermeasures and strategies for all hazards. Despite increased awareness of risk, many companies continue to operate under the assumption that a cyber incident is a black swan event.
The reality is that cyber threats are everywhere and every organization is vulnerable. Worse yet, the impact of a single security incident can be devastating to an organization’s reputation, operations, financial stability, and leadership. From board-level decision-making to day-to-day operations, companies need to prioritize cybersecurity and establish a strong, clear “tone from the top” so everyone in the organization understands its importance.
Leveraging lessons learned from high-profile cases such as Uber, SolarWinds, Change Healthcare, and Wells Fargo, and understanding the complex relationship between corporate governance and risk management, the book offers valuable insight into how company leaders can navigate the ever-changing operational risk landscape.
Ultimately, a proactive and comprehensive enterprise risk approach is essential for any business that wants to protect itself against the costly costs of cyber attacks.
Corporate Scandals and Risk Management
Notorious corporate failures highlight the clear risks of incompetence and the many missed opportunities for course correction within leadership structures. Wells Fargo and Theranos U.S. companies have emphasized the need to establish clear guidelines that prioritize risk management at all levels of the organization.
The Wells Fargo case is particularly interesting: A long-standing and well-respected financial institution, the bank has been under regulatory scrutiny from the Federal Reserve and the Securities and Exchange Commission for years after it was revealed that it encouraged employees to create false accounts without customers’ consent in order to make multiple transactions per customer.
The CEO’s motto was “8 is great,” and his bosses pressured salespeople to make cold calls, use family members, and trawl through customer databases to fabricate accounts for products like auto insurance and credit cards. Deposits were deposited into these accounts, fees were charged, and the bank made huge profits.
Despite heavy fines imposed by regulators, Wells Fargo’s punishments were light given the bank’s size and revenue. The bank made repeated investments to replace its CEO, but still failed to fix its culture, further illustrating the complexity of rooting out deeply rooted problems. Today, Wells Fargo has not been able to escape the eye of the storm and remains under regulatory scrutiny.
The Changing Role of the CISO
As corporate governance challenges remain, the role of the CISO is evolving, and recent case law has highlighted the trend toward holding these key individuals personally liable for cybersecurity risks.
The shift has been highlighted by the conviction of Uber’s former chief security officer. Criminal liability It is linked to an alleged cover-up of a data breach that affected the records of over 54 million people.
Similarly, SolarWinds was indicted In connection with the massive cyberattacks that affected numerous U.S. government agencies and private companies in 2020, CISOs are now expressing concern about possible prosecution in the massive Change Healthcare breach case. Congressional Hearings And the number of lawsuits is increasing.
The growing trend towards personal liability has generated backlash from many in the cybersecurity community. More than 50 prominent current and former security executives recently spoke out against personal liability. Amicus BriefThey argue that holding individuals responsible for a company’s cybersecurity risks is unfair, does not reflect the reality of operating a business under uncertainty, and could discourage skilled professionals from pursuing leadership roles at a time of increased need.
The backlash highlights the complex balance of responsibility and accountability in the field of cybersecurity risk management.
Top Tone
For the board to address risk, clarity from the top is important. Although cybersecurity is particularly complex and appears constantly evolving, cyber needs to be understood as an enterprise risk. Without this recognition, cybersecurity may be siloed, relegated to the IT department, or resources may not be allocated appropriately. Groupthink is particularly dangerous and may lead board members to avoid asking important questions or raising concerns that are essential to risk management.
The right tone at the top helps in critically evaluating any significant decisions or changes while considering both best and worst case scenarios. In this process, new and disruptive technologies such as the adoption of AI should be subjected to the same level of due diligence as traditional risk management protocols. The pursuit of novelty is very different from innovation and carries the risk of ending up bad.
Cybersecurity has been confined to the “nerd ghetto” for too long, and business leaders are either comfortable leaving it to others (and potentially holding them responsible for the impact across the enterprise) or seem oblivious to the fact that cyber touches everything.
Bridging the gap between technical experts and board members is difficult, but holistic risk thinkers with deep and diverse expertise must be empowered to help make informed decisions. After all, boards cannot coach what they do not understand.
The Federal Reserve’s intervention in the Wells Fargo board serves as a case study. The Federal Reserve required Wells Fargo to replace three directors with sufficient oversight experience to ensure sound risk management. Good governance involves putting the right people on the right tasks.
To foster a safe and healthy organizational culture, the tone at the top must be more than just words on paper. At Wells Fargo, management’s focus on receiving bonuses led to practices such as cutting corners and shifting goals, and unacceptable behaviors were not reported or addressed appropriately. Risky issues can move up the organizational hierarchy and be overlooked or covered up by decision makers, creating a false sense of security. Therefore, the board has a responsibility to ensure that leaders at all levels embody the company’s values and manage risk effectively. When leaders embody the right values and behaviors, the company is better able to handle both routine events and unexpected challenges, black swan or not.
This is the first of a two-part series on managing enterprise risk, with part two focusing on governance.