Jane, as the Chair of a midsized US corporation, is getting ready to address the press about her company’s recent acquisition of a promising manufacturer of post-COVID safety products. She is aware of an industry alert identifying similar companies as being potential targets of a substantial cybersecurity attack.

She recalls an article in the Harvard Business Review which had pointed out that cybersecurity falls under the fiduciary responsibilities of the board. That information, coming as it had after a relatively minor breach into her company, had prompted the board to take steps to minimize what risks they could. They implemented policies and procedures in accordance with the NIST/FAIR guidelines. Now as board chair, Jane is in position to guide the company through the final implementation of best policies and methods for cyber security.  

Knowing that cyber security breaches can wipe out billions in a company’s capital value because of the market’s lack of trust, Jane is confident that the board has both the best practice policies and 80% of the procedures in place to have covered their fiduciary liability.   

Cyber-risk is a Board Level Fiduciary Responsibility 

In a recent article on the subject published by Board Source, a global leader supporting boards in their role as fiduciaries, fiduciary duty was summarized as:  

“Fiduciary duty requires board members to stay objective, unselfish, responsible, honest, trustworthy, and efficient. Board members, as stewards of public trust, must always act for the good of the organization, rather than for the benefit of themselves. They need to exercise reasonable care in all decision making, without placing the organization under unnecessary risk.” 

Another way of saying this is that fiduciaries must execute their best “business judgement” when making decisions that are not easily reduced to a set of binary choices. The Business Judgment Rule states that Officers and directors must make decisions that they believe, in good faith, to be in the best interests of their companies and must make decisions after appropriate research and due diligence inquiries. The decisions must be the products of appropriate care and thought.

The term “fiduciary” is most often used in managing private trusts, pension funds, or health savings accounts. In our work advising US and international organizations during the last 30 years, we have become familiar with the difficulty that boards have in understanding what that really means. It wasn’t until the 1990’s that a set of ISO 9000 – based best practices were developed which gave pension fiduciaries the means to assess their conformance.  

Those standards are focused on process and not on results. For example, determining whether or not “the level of volatility the portfolio is exposed to, is understood by the investment steward, and the qualitative and quantitative factors that are considered are documented” is not easily quantified.  

So, what does this have to do with board members and cyber security? In the seminal 2015 ruling in the Tibble v. Edison International (13-550), the United States Supreme Court held that

“Because a fiduciary normally has a continuing duty to monitor investments and remove imprudent ones, a plaintiff may allege that a fiduciary breached a duty of prudence by failing to properly monitor investments and remove imprudent ones.”

Risk Management, the Board and Business Judgement.

I believe that the increase in cybersecurity breaches, incidents, and subsequent litigation highlight how board fiduciary liability has expanded to include intellectual property, customer and employee information, and other sensitive information. Indeed, in their article published in the Harvard Law School Forum on Corporate Governance (20 March 2018) titled “Risk Management and the Board of Directors”, the authors suggested that “…while it is true that the Delaware Supreme Court has not indicated a willingness to alter the strong protection afforded to directors under the business judgment rule that underpins Caremark and its progeny, cases such as In re Wells Fargo and Chief Justice Strine’s dissent in Good should serve as reminders that board processes and decision-making may still be questioned where there are specific allegations that directors ignored “red flags,”… Companies should adhere to reasonable and prudent practices and should not structure their risk management policies around only the minimum requirements needed to satisfy the business judgment rule. 

It is this “business judgement” which is at the heart of the issue when it comes to boards understanding and monitoring their cyber fiduciary liability. Unlike the pension industry where there are existing, global, board level ISO-based best practices, there are currently no agreed upon principles or practices in cyber security to help boards evaluate their decisions on the subject.

The issue becomes even more complex when boards are faced with trying to understand how cyber risk fits into enterprise risk. Professor Didier Cossin, Professor at IMD in Switzerland and Founder/Director of the IMD Global Board Centre explains it this way in his book, “High Performance Boards: Improving and Energizing Your Governance”: “In general, with integrated risk thinking, we are getting to the point where boards will rely more on their business sense and the company’s processes than on complex risk models.”

As fiduciaries of all their company’s assets, Board members must increasingly look to their business judgements in making tactical and longer-term decisions regarding cybersecurity. As with the holding in the Tibble case and as Professor Cossin suggests, this requires a different approach to cyber risk board governance than has been practiced. 

NIST and FAIR.

We have defined the problem as being one that requires a different approach to help boards understand how cyber risk fits into strategic risk management. We understand that not all cyber risk decisions at the board level are binary, and we understand the need for a set of best practices that seek to help boards understand and fulfill their fiduciary liability by providing an ongoing process to manage/monitor their decisions. 

The FAIR approach to managing cyber risk brings a much-needed resource to help quantitatively assess and track cyber risk vis-à-vis the NIST Protocols. Until now there has not been a reliable method for how to assess technical conformance. Now, in conjunction with the NIST Framework, CISOs and others can more effectively anticipate and plan for potential risk. This, in turn, provides the Board with the confidence that management is doing a good job.  

As discussed earlier, boards have the additional responsibilities of managing cyber risk within the organization’s overall strategic risk, as well as monitoring the risk management process on an ongoing basis. This requires a set of global best practices similar to those used in the pension domain. Should a board be sued in relation to a cyberattack under the fiduciary liability rubric, they would be hard pressed to meet the Tibble standard. 

As an example, the complexities of assessing compliance to best practices in the pension domain can be very difficult. Much of the assessment is qualitative in nature since it reflects business judgement and thus is not binary. For example, Practice 1.1 “The Investment Steward demonstrates an awareness of fiduciary duties and responsibilities” is usually confirmed by a document signed annually by the members attesting to their awareness. Does the document in question sufficiently summarize the fiduciary duties and responsibilities? That is where the qualitative judgment call is made.

Best Fiduciary Practices and AI.

The paradigm shift in cybersecurity requires a different approach, one that is based on real business judgement by boards. I suggest that a set of cyber risk best practices, distilled from experienced board members, CISO’s and other advisors be developed independently. These practices must be almost organic, allowing for constant updates as new information is incorporated. While business associations, trade organizations and other entities have their own efforts in this area, the big picture is that there is a multiplicity of practices without a standard for what works and what doesn’t on a global basis.    

The primary focus of management and staff is on the operations. Best fiduciary practices like those for the pension domain reflect the combination of quantitative tools for measuring risk and qualitative tools for interpreting them. What is needed is input from board members to complement in-house expertise to design an agreed-upon set of best practices that would applicable regardless of the residence of a corporation or its subsidiaries.  

A wide, geographically based group of board members from different companies and cultures should be organized to share their practical knowledge. Since the standards are starting from scratch, my suggestion is to use a form of Artificial Intelligence (AI) which is already familiar to the designers of the FAIR system: Bayesian Inference (BI).

BI meets the requirements of the problem: the elicitation of expert knowledge, synthesizing it where possible, and providing a means to update the practices as new knowledge becomes available. One of the best examples of such an approach was that used by the founders of BayesiaLab in quickly bringing together a group of world experts to develop COVID Epidemic modelling. 

The paradigm shift in cyber security urgently requires a new, more innovative approach to defining board level practices that meet the immediate demand and which can be updated on a regular basis as new information becomes available.

Using an Artificial Intelligence tool like Bayesian Inference, this can be done both efficiently and cost-effectively.

(From a blog post by FAIR Institute Member Robert R. Patterson, AIFA®, who is Co-Founder and President of Diogenes-FG, offering fiduciary consulting and training for CEFEX certification in Richmond, VA.)