The 2024 Directors Think Survey: Corporate DirectorBDO and Diligent Institute found that AI and cybersecurity emerged as two of the most challenging areas for directors to oversee, at 36% and 35%, respectively. As board members maintain a neutral outlook on the U.S. business environment, these two areas are becoming more important to short- and long-term success.
New AI risks highlight need for increased oversight
Technologies such as generative AI have the potential to transform the way we work, and many boards are wary of their organization's readiness gaps. Without proper governance over the implementation and use of AI, organizations could unintentionally expose themselves to new risks.
Shareholders have similar concerns, according to the Directors' Thoughts survey. When asked about the issues they were most concerned about, the majority of directors (88%) pointed to an increase in inquiries from shareholders regarding the development of AI and generative AI.
According to BDO's 2024 CFO Outlook Study, finance leaders see AI as a tool to help improve compliance and reporting, safety monitoring, pricing decisions, customer service, contract management, back-office automation, field service, and more. I'm watching it. However, information security remains a concern, and CFOs noted, for example, that there are still questions about how open source AI platforms and large-scale language models (LLMs) use and store data. ing. The potential benefits of AI tools must be weighed against the need and ability to protect sensitive information.
What do these concerns mean for businesses? As companies incorporate AI into their operations, leaders must continue to anticipate, monitor, and respond to evolving risks. This means maintaining proper governance and ethical use policies and procedures, and providing current and future employees with the right AI skills and continuing education. Boards need to understand how management prioritizes risks and mitigates potential bias in the use of datasets and flawed algorithms.
As AI, especially generative AI, rapidly becomes integrated into everyday business operations, nearly half (49%) of organizations are working hard to establish AI policies (2024 CFO Outlook Survey). Additionally, 39% are building in-house solutions to protect sensitive customer and proprietary data and customize tools to fit their needs.
Keeping up with new regulations: SEC raises cybersecurity requirements
As if the current threat of cyber incidents impacting business was not enough, businesses will be exposed to cyber risk from a new angle in the form of increased disclosure and incident reporting regulations. The recently enacted SEC Cybersecurity Disclosure Rule adds annual reporting requirements for public companies to disclose their risk management, strategy, and governance processes, along with time constraints for publicly reporting significant cyber incidents. It became mandatory. These rules allow public companies and “third parties” in their supply chains to control how organizations manage their cyber exposures and, importantly, how boards of directors oversee the process. You need to investigate whether there is.
Boards generally do not appear overly confident in their own ability to oversee the management of cyber risk or in management's ability to effectively manage cybersecurity. For example, when asked how prepared boards and management teams are to comply with the SEC's new rules regarding cyber risk disclosures, What magazine found that when asked how well prepared their boards and management teams are to comply with the SEC's new rules regarding cyber risk disclosures, board readiness was rated at 6.75 out of 10. Management was rated only 7.28 out of 10. Survey on directors' thoughts.
When a cyber-attack is confirmed, businesses need to quickly determine whether the incident could have a significant impact on their organization. This can be difficult because cyber incidents can take many forms, affect many systems, and go undetected for long periods of time. To make such judgments in a timely manner, boards and management must have an evaluation process in place that considers both qualitative and quantitative factors when assessing materiality. To mitigate the damage caused by a cyberattack, boards and executives must have an up-to-date incident response (IR) plan in place so the company can take action as soon as a suspected cyber incident arises. The plan takes into account the SEC's new four-day reporting deadline for cyber incidents deemed significant. The IR plan should also include established reporting and communication processes to help the company comply with other relevant laws and regulations at the local, federal, and international levels.
To comply with management and board oversight of cybersecurity risk management disclosures under the new SEC rules, companies should review their current policies, procedures, and protocols to determine whether adjustments are necessary. This should also include a broader assessment of whether what is disclosed is consistent with other governance documents, such as the company's proxy statement, board committee charters, and other public and internal documents that discuss the company's data and cybersecurity protocols. This may identify further needs for increased education and collaboration between directors and management.
Because breaches most frequently occur due to human error (such as an employee falling for a phishing scam) or third-party exposure, all stakeholders must understand their role in strengthening and protecting the company's cybersecurity posture. Board members should ensure leaders not only invest in employee and stakeholder training, but also encourage collaboration across teams to help the company mitigate exposure and respond quickly and effectively in the event of a cyber incident.
Moving from reactive to proactive: What boards need to know
Digitalization, including the use of advanced technologies such as AI, offers many opportunities to enhance business operations, but organizations must have functional and foundational data and usage protection, monitoring, and company-specific cybersecurity programs in place. To increase oversight in these areas, boards should structure meeting agendas to prioritize significant risks, stress-test the company's cyber investor relations program and governance oversight, and emphasize the importance of building a culture of ethical technology use. Continuing education on the changing risk environment for all employees, including directors, should also be considered.
Governance structures should include protection and enforcement mechanisms, training, and efforts to strengthen the control environment to address emerging risks. As part of this, boards should engage regularly with management, internal and external to the organization, including advisors and law enforcement, as well as IT, internal audit, legal and other relevant professionals, as appropriate. To protect company stakeholders from AI and cyber risks, boards should establish accountability mechanisms and ensure management regularly monitors and updates data and cybersecurity programs. there is.
