San Francisco — Attorneys for U.S. Bank and Wells Fargo recently told an audience of cybersecurity experts that cyber has transitioned from a management function to a mandatory board-level governance responsibility, and one that the board must exercise to reduce legal and financial exposure.
The two also discussed the idea of boards participating in tabletop exercises, in which a bank's security team practices what it would do in response to a realistic but fictitious cybersecurity incident. While the attorneys expressed general skepticism of the value of involving board members in tabletop exercises, they did offer alternatives to how the board could prepare for an incident.
The discussion came in the form of a panel at RSAC Conference, a leading cybersecurity conference held annually in San Francisco. The attorneys were Alison Atkins, chief cybersecurity and technology counsel at U.S. Bank, and Matt Greenberg, assistant general counsel and executive director of cybersecurity and incidence response for Wells Fargo.
Boards shifting to active governance on cyber
Board members are no longer just trying to determine if practitioners "have a handle" on things, according to Tom Doughty, chief information security officer at Generate Biomedicines, one of the many public companies affected by regulatory changes in recent years that have changed the board's role in cybersecurity governance. Doughty sat on the panel alongside Greenberg and Atkins.
Instead, driven by clearer responsibilities and regulatory guardrails, directors' questions have improved. Directors are now in a mode of "trying to understand where they stand and the enterprise stands relative to those governance responsibilities."
Greenberg echoed this, saying he has seen a "much more involved CISO role" with board members "really wanting a much more meaningful understanding of the company's cybersecurity program."
Boards are indeed "much more interested in getting an understanding," according to Erez Liebermann, a partner at Debevoise & Plimpton and the moderator of the discussion. However, he suggested merely getting an understanding is insufficient and shouldn't be mistaken for "giving the actual supervision or oversight that they need to give."
Legal landscape demands board oversight
Atkins detailed the legal framework compelling increased board activity.
In Delaware, directors owe basic duties of care and loyalty, requiring them to act reasonably and in good faith. While not expected to be cybersecurity experts or manage risks themselves, board members must provide oversight and educate themselves, relying on reports and information.
This includes expectation of competence, and potential director liability exists under existing Delaware case law (such as the
Federal regulators have also emphasized board responsibility. The SEC's public company rules now mandate annual disclosure of cyber risk management practices, including board involvement. This requires reporting on the board's and senior management's response to threats, management's risk assessment role and board oversight. A consequence is that this information is public and class action attorneys are "post-breach harvesting this information to fuel these lawsuits," Atkins said.
The FTC has consistently stated that data security begins with the board, not the IT department, according to Atkins. Boards should set high expectations and build teams, potentially through subcommittees, to look at cyber risks.
Recent amendments to the FTC's Safeguards Rule for certain financial institutions require a qualified individual to report specific, written, annual information to the board, outlining what the FTC believes boards need to know.
FTC enforcement actions support this, Greenberg noted, showing regulators will look at whether boards "have reasonable oversight over the cybersecurity programs" after an incident, he said.
For covered entities, the New York State Department of Financial Services Part 500 amendments in 2023 emphasized that boards must have sufficient knowledge or expertise to oversee the cybersecurity risks, according to Greenberg, and require briefings on various aspects, including the security of information systems, policies/procedures, material risks, material incidents (with specific reporting timelines) and remediation plans.
These doctrines and regulations provide a "road map for your board" for a "bare minimum" of what regulators and Delaware are looking for, Atkins said.
Effective briefings and asking the right questions
Translating cyber risk into "business terms and operational terms and financial terms is something that really resonates" with board members who are experts in operational risk, Atkins said. This helps them provide effective oversight by leveraging their external view and spotting potential issues.
Since not all board members have cyber expertise, panelists suggested teaching them what questions to ask. Greenberg offered three key questions he'd like to hear:
Do you have enough resources to defend the company? What do I not know right now that is a risk to this company? What are the current cyber risks to this company?
These questions should be asked and answered in nontechnical terms, Doughty added. He also suggested CISOs proactively share questions the board should have asked.
Red flags that board members should watch out for during briefings include reports where "everything is great, everything is perfect, I have everything that I need, and don't worry about anything," Greenberg said.
Other red flags are internal self-assessments without external validation, lack of objective data, no metric limits for automatic bad news reporting, and not asking for or receiving information on topics like AI risks.
Green flags include consistent messaging, using independent testing, translating cyber risk into plain English, having a measured approach, using metrics and assuming breaches are inevitable — thinking about a breach as a when, not an if.
Benchmarking and external validation are important for interpreting metrics-like scores from the National Institute of Standards and Technology, or NIST, which are meant to give a measure of how prepared an institution is against cyberattacks, but can be meaningless without context.
Panelists also said boards need to understand maturity targets, correlation with investment choices, and the difference between what could be done and what should be done. Risk assessments presented with executive summaries can also be helpful. Basing discussions on actual threats and their potential impact on the company is crucial for making information actionable.
Board role during incidents and tabletop exercises
Panelists said that while executive teams manage incident response, the board's role is to provide oversight and insight. They bring a shareholder's perspective and cross-industry experience. They should understand the rapidly evolving situation and limitations around communications to control the message. They also need to be vigilant about protecting sensitive incident information to maintain privilege.
Regarding tabletop exercises, panelists agreed that boards should expect that such exercises are being done at governance and technical levels. However, panelists generally agreed that directors should not sit in and directly participate in an operational tabletop, as "that's not their role," Doughty said.
Instead, their involvement might include receiving information and asking questions as they would during a real incident, or participating in exercises designed specifically for the board to practice their notification and oversight role.
Greenberg suggested reframing it as "educating our board on what an incident is going to look like." This includes planning before an incident occurs, having criteria for board notification, knowing who will brief them, and understanding their role (not managing or approving the response).
Key issues to brief the board on during an incident include materiality for public disclosure, and decisions around negotiating or paying ransomware, where board support is crucial even if they don't formally approve.
Documenting board involvement in tabletop exercises and incident briefings is critical for demonstrating oversight to regulators or in potential litigation.
"Document everything and assume that the regulators and lawyers are going to go over everything with a fine-tuned comb," Atkins advised.
