In today's business landscape, effective risk management requires a comprehensive approach to corporate governance with robust all-hazards risk measures and strategies. Despite increasing awareness of the risks, many companies continue to operate under the assumption that cyber incidents are Black Swan events.
The reality is that cyber threats are ubiquitous and every organization is vulnerable. Worse still, the impacts of a single security incident can be calamitous for an organization's reputation, operations, financial stability and leadership. From board-level decision-making to daily operations, companies should prioritize cybersecurity and establish a strong and clear “tone at the top” to ensure that everyone in the organization understands its significance.
Drawing on lessons from high-profile cases like Uber, SolarWinds, Change Healthcare, and Wells Fargo, the intricate relationship between corporate governance and risk management provides valuable insights into how company leaders can navigate the ever-changing landscape of operational risk.
Ultimately, a proactive and comprehensive enterprise-risk approach is essential for companies that want to protect themselves from the costly fallout of a cyber-attack.
Corporate Scandal and Risk Management
Notorious corporate failures emphasize the clear risks of ineptitude and many examples of missed opportunities for course correction within leadership structures. Cases such as Wells Fargo and Theranos in the US highlight the need for companies to establish clear guidelines that prioritize risk management at all levels of the organization.
The case of Wells Fargo is particularly compelling. A longstanding and respected financial institution, the bank has been under the regulatory lens of the Federal Reserve and the Securities and Exchange Commission (SEC) for years after it was revealed that staff members were being encouraged to invent accounts for customers who had not given their consent in order to produce multiple pieces of business per customer.
The CEO’s motto was “eight is great,” and supervisors pressured salespeople to cold call, use members of their family, or dip into the customer database and just invent accounts for auto insurance, credit cards and other products. These accounts were then credited with deposits and charged fees, generating hefty profits for the bank.
Despite regulators imposing heavy fines, the scale of the punishment on Wells Fargo amounted to little more than a slap on the wrist for a bank of its size and earnings. The bank’s repeated investments to switch CEOs who have still failed to correct the culture further illustrate the complexity of eradicating deeply ingrained issues. Today, Wells Fargo has been unable to extricate themselves from the eye of the storm and continues to be under the scrutiny of regulators.
The Changing Role of the CISO
Amid corporate governance challenges the role of the CISO is evolving, with recent legal precedents highlighting a trend toward holding these key figures personally accountable for cybersecurity risk.
This shift is underscored by the conviction of Uber's former Chief Security Officer, who was convicted of criminal charges related to the alleged coverup of a data breach that affected the data of over 54 million people.
Similarly, the CISO of SolarWinds was charged in relation to the massive 2020 cyberattack that impacted numerous US government agencies and private companies. In private forums, CISOs are presently expressing concern about potential charges in the case of the massive Change Healthcare breach, as congressional hearings and lawsuits mount.
The growing trend of personal liability has sparked a response from many in the cybersecurity community. Recently, over 50 high-profile current and former security executives voiced their opposition to liability in an amicus brief. They argue that holding individuals personally accountable for corporate cybersecurity risk is unfair, doesn't reflect the reality of operating in uncertainty, and could also deter skilled professionals from pursuing leadership roles in a time of increasing need.
The pushback underscores the complex balance between responsibility and accountability in the increasingly high-stakes realm of cybersecurity risk management.
Tone at the Top
A clear tone at the top is critical for a board's handling of risk. While cybersecurity can seem especially complex and ever evolving, cyber needs to be understood as enterprise risk. In the absence of such acceptance, cybersecurity can be siloed, left up to IT, or improperly resourced. Group thinking can be especially dangerous, where board members may shy away from asking critical questions or raising concerns that are vital for risk management.
The right tone at the top will help when it comes to critically evaluating major decisions and changes, considering both best and worst-case scenarios. In this process, new and innovative technologies – for example, the adoption of AI – should be subjected to the same level of due diligence as traditional risk management protocols. Chasing novelties is markedly different from innovating and runs the risk of ending badly.
Cybersecurity has for too long been trapped in a “geek ghetto,” with business leaders seemingly comfortable to leave it to others (who may then be blamed for enterprise-wide impacts) or oblivious to the truth that cyber touches everything.
While it is challenging to bridge the gap between technical experts and board members, holistic risk thinkers with deep and diverse expertise should be empowered to help make informed decisions. After all, boards can’t guide what they don’t understand.
The Federal Reserve's intervention with the Wells Board serves as a case study: the Fed required Wells Fargo to replace three board members with sufficient oversight backgrounds to provide sound risk management. Good governance includes getting the right people to handle the right tasks.
To foster a secure and healthy organizational culture, the tone at the top must be more than just words on a page. At Wells Fargo, managements' focus on receiving bonuses led to practices such as cutting corners and modifying goals, with unacceptable behaviors going unreported or inadequately addressed. Risky issues can move up the organizational chain and decision-makers may overlook or sanitize them, creating a false sense of security. As such, it is the Board's responsibility to ensure that leaders at all levels exemplify the company's values and manage risks effectively. When leaders embody the right values and behaviors, companies are more adept in navigating both routine events and unexpected challenges, Black Swans or not.
This is the first in a two-part series on managing enterprise risk, with the second article focusing on governance.