Solutions lie in clear and high-level governanceReport researched and compiled by McKinsey authors Tucker Bailey, Soumya Banerjee, Christopher Feeney, and Heather Hogsett. Access full report here.
Cybersecurity has become a top concern for the boards of financial-services firms, and the level of concern seems to be growing day by day. With organizations seeking to create new digital customer experiences, applying sophisticated data analytics, and investing in a wealth of other technology innovations, cyber-risk management clearly requires governance at the highest levels. The advent of the COVID-19 crisis makes this challenge even more urgent.
Well before the pandemic hit, the Bank Policy Institute and McKinsey began to address these issues. To gain deeper insights and help guide boards in their decision making, we collaborated on a survey of top financial firms to assess current cybersecurity trends, challenges, and solutions. We found that boards are not only spending a significant amount of time on cybersecurity challenges and ways to address them but also assigning committees to deal specifically with these issues.
However, though many boards are working to integrate cybersecurity resilience into their overall risk efforts, they have not yet learned to measure these risks consistently and to maximize value for money. Boards also need practical new approaches to set their risk tolerance for cybersecurity and to guide management’s resourcing and spending so that they can address the consistent and persistent risks inherent in this area.
As boards look at their next moves, they can take their cues from more advanced firms starting to adopt a cybersecurity and technology risk-management strategy informed by business operations. These firms are integrating their efforts to control cybersecurity and technology risks with operational risks and resilience. They are giving their boards new views of information to help them assess cyber-risks against the risk tolerance of the enterprise and ensuring that board members have the knowledge to oversee these activities.
An Evolving And Increasing Role For The Board
A total of 23 financial-services firms, mostly in North America, participated in the survey. They included a diversity of sizes and lines of business. The survey had 14 questions in three broad areas:
- Oversight. What is the nature of board oversight of cyber-risks—including which committees are responsible, who serves on them, and how often do they meet?
- Structure. Are boards forming technology committees with a mandate that includes cyber-oversight and, if they have, what is their structure and charter?
- Awareness and understanding. How are boards becoming more aware of these risks, understanding them better, and increasing their skills and expertise?
Oversight: More Frequent And Intense
Actions by boards reflect the increased attention all financial firms are now devoting to cyber-risk. Ninety-five percent of board committees, for example, discuss cyber-risks and tech risks four times or more a year. One such firm holds optional deep-dive sessions the week before each quarter’s board meeting. These sessions cover relevant topics, such as updates on the current intelligence on threats, case studies of recent breaches that could affect the company or others in the industry, and the impact of regulatory changes.
There has been a remarkable shift in board awareness of cybersecurity in the past few years: for example, earlier McKinsey research, from 2017, suggested that only 25 percent of all companies gave their boards information-technology and security updates more than once a year. More frequent and consistent communication between board members and senior management on this topic now enables boards to understand the financial, operational, and technological implications of emerging cybersecurity threats for the business and to guide its direction accordingly.
Firms increasingly recruit experts for these committees. Sixty-five percent of them, for example, have at least one board director with expertise in cybersecurity, technology risk, or both. These directors include senior executives of top technology companies and executives with defense or intelligence backgrounds.
Structure: Appointing A Specialized Technology Committee
Risk and audit committees are the primary overseers of these risks, but a growing number of firms—22 percent overall, and as many as 35 percent in some segments—have a technology committee to oversee cybersecurity
A desire for better cyber-risk oversight is part of the reason for the creation of such committees—but not the only reason. The areas covered in their charters include these:
- Integrating the oversight of cyber-risk and resilience with technology and operational resilience, including business continuity
- Applying an expert focus to strategic technology choices, innovation, transformation initiatives, and investments
- Better managing regulatory concerns and requests in these areas
Awareness And Understanding: Growing, But Challenges Remain
The growing awareness and attention of boards to cybersecurity risks is reflected in a number of ways—for example, how companies report on such risks to their boards. These reports nonetheless remain a challenge for many. True, 65 percent of firms integrate cybersecurity and operational resilience in reports to the board. An additional 9 percent plan to do so soon. However, the types and number of metrics firms use to report to their boards on cyber-risk vary widely among firms—and a higher number of metrics does not correlate with the size of the firm.
Advanced boards: A More Integrated Cybersecurity Strategy
Advanced boards are shifting their role on cybersecurity by actively trying to understand the cyber-risks to their companies and helping to set the direction on risk and investment strategy. A number of factors are causing this shift in the involvement of boards—for instance, the rising number of cyber-risk breaches making headlines, regulators who increasingly hold companies accountable for addressing gaps in their cybersecurity resilience, and the increase in the level of cybersecurity and technology investment. Boards looking for direction can take cues from those that have already begun to pursue a cybersecurity and technology risk-management strategy integrated with business operations. These strategies have three major elements.
Ensuring That The Board Has The Necessary Knowledge And Skill
Leading firms ensure that boards know about cybersecurity and tech risks in the business context, their potential impact, and how the leadership is addressing them. Such firms update the board on these issues at least quarterly, with additional awareness and education sessions as needed. They use simulations and tabletop exercises to prepare the board and test the ability of the senior leadership to respond to a major cyber-incident: for example, they will simulate a cybersecurity-related crisis, such as a ransomware demand that may expose customer data.
Such simulations help senior executives become better prepared to make high-stakes decisions under pressure, and the board gains a deeper understanding of the firm’s capabilities. The insights generated by the simulation help refine the crisis-response playbook and build the type of “muscle memory” required to make appropriate decisions in real time with limited information.
Cyber-risks are diverse, difficult to predict or quantify, and growing. Mature boards are taking a comprehensive approach to managing cyber-risks by developing strategies integrated with the rest of the business to increase their awareness, understanding, and skills. In this way, they are making themselves important, valuable partners for management in the effort to increase the resilience of their firms.