March 2023

Christopher Clark conducts interviews with leading corporate directors and subject matter experts for Stuart Levine & Associates, a global consulting and leadership development company. The Planet Governance™ interview series features the views of corporate directors, chief executives, and governance experts on timely issues from succession planning to cyber-resiliency to stakeholder activism.

Chris Hetner is on the TCIG board of directors, Special Advisor for Cyber Risk at NACD, Chair Cybersecurity & Privacy for the Nasdaq Center for Board Excellence, and a National Board Member of the Society of Hispanic Professional Engineers. 

He served as the Senior Cybersecurity Advisor to the Chair of the United States Securities and Exchange Commission and as Head of Cybersecurity for the Office of Compliance Inspections and Examination at the SEC. He also represented the Chair of the SEC as a senior member of the U.S. Department of the Treasury Financial Banking Information Infrastructure Committee.

This expert says cyber risk management is a team sport that requires the entirety of the enterprise to ensure business resilience…

Chris Hetner

Chris Hetner

Clark: Good morning, Chris. 

The standard mantra: directors need to understand cybersecurity so they can ask the right questions. However, the tide may be turning to one or more directors possessing first-hand experience and expertise in managing cybersecurity operations and strategy.

What’s your view?

Hetner: We’re constantly bombarded by the introduction of new technologies. It innovates, it creates disruption, it creates a competitive advantage for our industries worldwide, but it also comes with risk. That risk can emanate from external sources, whether it be an adversarial group or a criminal syndicate or nation state that’s looking to inflict harm to your enterprise, or it could come from an internal source such as a disgruntled employee, but quite frankly, it could be non-malicious in nature. Somebody just accidentally misuses technology. The misappropriation of data, and the misappropriation of funds is common.

While it would be ideal to have a dedicated cyber or technology expert on every board of directors, I’ve realized that it’s best to have an independent voice, i.e., external resource, providing on-demand support with a team that has overseen technology and cybersecurity to readily expand the board’s cyber expertise.

More importantly, how do we deliver a broader discussion that’s centered on business, financial, and operational context into the boardroom so the entirety of the board is engaged.  The less-than-ideal juxtaposition is having an individual board member engaged in a highly technical dialogue with management.   

Clark: CISA has been directed to undertake a study to help clarify the harm being inflicted by cyber-attacks and to assist in developing a set of workable solutions. What should directors do in the meantime? 

Hetner: I commend the Administration for taking a step towards systemic risk reduction. Their goal is to take a proactive position that intercepts those cyber threats inflicting material, operational, and financial harm across our critical sectors. This strategy aligns closely with my objectives as senior advisor to the Securities Exchange Commission chair and helping to shape how the securities market thinks about systemic risk reduction.

The current state toward governing cybersecurity risk through the lens of technology, and the nail, if I may, is always treated with a technology hammer, we have a long way to go to create a shift in terms of how cybersecurity can introduce material, business, operational, and financial harm. The SEC, in the proposed rule that is scheduled to be approved this April, lays out a comprehensive enumeration of the types of costs and adverse consequences a company may incur or experience due to cybersecurity.  

For example, the SEC rule highlights cost due to business interruption, decrease in production, delays in product launches, and the payments to meet ransom or extortion demands. The rule also addresses loss of intellectual property and how that can impact company competitive advantage. Unfortunately, the conversation in the boardroom is focused on operational and technical matters that don’t align to the reduction of business and financial risk.  What CISA and the SEC are attempting to do is, “Let’s focus on resilience before the incident occurs, let’s move more left.” We call ‘left of boom’. Right of boom is incident occurred, left of boom – let’s become more proactive.

Clark: The fact that most boards are not ready for what the SEC has proposed combined with a shallow pool of people with first-hand cybersecurity experience, a dedication to governance, and a strategic mindset is a bit jarring.

Hetner: You’re spot on. In fact, I would even broaden the aperture to say the pool of cybersecurity resources globally is very modest. One estimate suggests there are 3.5 million vacancies in cybersecurity. These are 3.5 million jobs that are unfilled, and we’re not producing enough cybersecurity resources through the university system. As you distill down that pool to an individual that could be effective in the boardroom, it becomes even more narrow because, to your point, the individual, while they might have cybersecurity expertise, might not be able to function broadly. You must think about strategy and human capital… and risk areas beyond cyber, such as geopolitical risk, competitive market advantage, and supply chain risk. The last thing you want is to have an individual on the board that operates as the “one-trick pony” cyber expert.

One would argue the more efficient model is to retain outside experts that can access a broader range of expertise beyond cyber and can source from a pool of experts into the boardroom and help deliver more context around how the board should be thinking about cyber risk oversight.

Clark: How can CISA and the markets collaborate more effectively to enact change?

Hetner: From my viewpoint, the cybersecurity ecosystem largely operates within an echo chamber and tends to be highly tactical in nature. There’s always a technical tool being applied to address the problem.

The cybersecurity industry has historically been extremely deep, complex, and tactical in nature that is not well-understood by the executives and boards of directors responsible for oversight. I think we’re starting to see that shift – it’s deliberate and being brought via CISA, and through the Securities Exchange Commission. In addition, the risk transfer markets are starting to influence cybersecurity safety standards.  

There are hundreds of thousands of policies being underwritten by carriers and packaged within the reinsurance markets, applying a range of advance analytics factoring in firmographic data such as industry type, geographical footprint and revenue distribution combined with how cyber threats can introduce material business and financial harm.  I always argue the risk transfer markets will ultimately serve as the arbitrator for cyber risk.

We’re seeing the market forces starting to take shape around this matter with the formation of Cyber Insurance-Linked Securities.  These cyber catastrophic bonds will open capacity across the cyber insurance industry – and drive heightened standardization on how companies’ price and manage cybersecurity by the capital markets. 

Clark: One of CISA’s tenets for fixing cybersecurity is that tech companies need to be responsible for baked-in secure designs. How does that happen?

Hetner: The introduction of safety and compliance has historically been viewed as an impediment towards productivity. We must incentivize companies to proactively embed cybersecurity safety standards within the development cycle. 

Clark: What type of incentives?

Hetner: It could be tax incentives, competitive advantage (i.e., safety seals), and regulatory requirements.  The consequences of not applying safety measures can result in regulatory action and liabilities directed towards to directors and officers.  

Another incentive could stem from government providing access to advanced cybersecurity resources to our critical infrastructure entities and insurance backstops to support catastrophic cyber events.  

Clark: What is your final thought on the upcoming cybersecurity SEC standards?

Hetner: I would advise the boardroom community to start the process now. If you’re not comfortable with what’s being articulated in terms of cyber risk reporting by your management team, then look to retain some cyber expertise outside through an independent assessment.

It could be a hygiene check on the efficacy of your cybersecurity program, and/or the level of cybersecurity reporting. These reports must deliver direct and indirect financial implications that can negatively impact the company’s balance sheet, which can negatively impact the stock price. If that’s not the case, then there are opportunities to improve that level of oversight in the boardroom.

Clark: Is there light at the end of the cybersecurity tunnel?

Hetner: Yes, I would say let’s not overcomplicate the matter. It must be managed like any other business risk.

Clark: Chris, thank you for your insights.

Chris Hetner is on the TCIG board of directors, Special Advisor for Cyber Risk at the NACD, Chair Cybersecurity & Privacy for Nasdaq’s Center for Board Excellence, and former Senior Cybersecurity Advisor to the Chair of the SEC.  

Chris Clark joined Stuart Levine & Associates as a senior consultant after a distinguished career at the National Association of Corporate Directors. His expertise ranges across a variety of disciplines including corporate governance (with data-driven board assessments as a cornerstone), strategic communications, conference management, and digital content creation.