C (3:11)

Well, and to your point. So I just. I found another story that I thought was, you know, worth giving a little attention to, and that is, I don't know if you've been hearing what is happening with. With jlr. And so Jaguar Land Rover, if you're not familiar with the JLR acronym, they have had a major cyber incident that has been going on for weeks at this point. It started in late August. They realized that something was very wrong. And by the Monday after they found this thing, they've had to shut down most of their factories. I mean, they have not been able to produce in factories across the uk, Slovakia, Brazil and India for weeks. For weeks now. It's costing them hundreds of millions of pounds. I mean, it's a major deal. And they're still kind of trying to diagnose what's going on and sort of what's the cause, what's going on here. But one of the things that is true is that they had outsourced most of their cybersecurity, and so there wasn't really maybe quite enough oversight happening inside the company. You know, it's not to say that outsourcing is always a bad idea, but, you know, this is so critical to infrastructure. Maybe it's not the thing to outsource. You know, I mean, certainly get external help, get, you know, professional help when you need it, but completely outsourcing, again, we don't really know all the details yet, so lots more to come on this story. It's an ongoing situation, but honestly, it's like, when are we going to get this right? Megan? It just is such a perennial issue. It really, really requires boards and leadership teams to spend time thinking about it, planning for it, asking the right questions, having the right conversations. You can't take your eye off this ball. I mean, sadly, you cannot.

A (4:48)

But also it has to be just naturally integrated into every conversation. That's the only way you're going to be really able to get your arms around it. It becomes just another dimension of risk management in everything you're discussing around the board. T.

C (5:06)

Well, Megan, that's a good segue for us to play. The interview that we had with Katie hall, who's the director at PwC's Governance Insights center and focuses on cybersecurity we had a chance to speak with her about, you know, what's happening in boardrooms around cyber risk and how they can think about this differently. So let's give that interview a listen.

A (5:33)

Joining us on the Corporate Director podcast today is Katie hall, director at PwC's Governance Insights Center. Katie, thanks for joining us.

D (5:42)

Thanks, Mike. I'm glad to be here with you today.

A (5:45)

Well, I am excited to have you on the show to help us kick off Cybersecurity Awareness Month. Big, big month. I know.

D (5:52)

Yes, it is.

A (5:54)

But before we dive into the topics associated with that, could you introduce yourself and share a bit about your role at PwC and the work you do with the Governance Insight Cent?

D (6:04)

Of course. Happy to. So, as you mentioned, I'm part of a group at PDBC called the Governance Insights center, and we spend our full time talking to corporate executives, public private companies across sectors, as well as executives and investors and other governance stakeholders about a variety of topics because the landscape is constantly changing and it stays interesting and keeps us on our toes.

A (6:30)

That must put you in a fascinating vantage point, I think, especially given how quickly the world of the board of directors and executive management is changing and particularly as it relates to cyber. So let's definitely start there. So, as we know, cyber oversight really transformed in the last couple of years, especially with the now new ish kind of getting a little old SEC disclosure requirements, but in general this sense of increasing board accountability. So from your perspective, what kind of cybersecurity reporting is actually most effective for boards today? And where do you see boards struggling to maybe get the clarity or depth that they need?

D (7:11)

Yeah, it's a great question and I'm with you. I had to stop referring to them as new because it's been a few years now. And I should have also mentioned that part of my role in my group as I speak spent several years leading up to 2023 and now post 2023 talking specifically about cyber with with boards. And so I'll bring that perspective today into the conversation. This was a big topic of conversation, this being cyber reporting leading up to disclosure, you know, disclosure readiness and disclosure effectiveness. And it still continues to be very top of mind anytime I'm talking about cyber with boards or with CISOs from CISOs, what should we be giving the board from boards, what should we be getting from management? And there continues to be this disconnect. And when I think about why, it's just it's a hugely technical, complex topic that is fast moving and evolving and it's hard to get your arms around, particularly if you're a director and you have to be, you know, a specialist in many things in your role of oversight. So in terms of what works best, unfortunately, this is one of those areas where there's not a one size fits all. And I think that's sort of the disappointing answer that I have to give sometimes when I get asked, do you have a template? Do you have, you know, this sort of master guide to what I should be providing the board? No, no, I don't, unfortunately. But you know, I think what boards need and what they're getting to the point of asking for, I guess getting around to now, now that we're a couple of years into disclosure effectiveness, is that they need decision useful information. They need not just a data dump of metrics. And sometimes what CISOs will tell us is that they're giving metrics based on what data they actually have available, whether or not that's the data that's actually meaningful. So to me it's the board's responsibility to go to the CISO and say, well, what's important to you, cso? What are you looking at to understand the risk to the organization and how the organization is managing that risk effectively or not. So looking at a handful of really decision useful metrics, I think is a place to start understanding incident response within the organization as well as any partner incidents that have happened outside the organization and above all, tying everything back to a business unit level risk because the board is thinking about things at the risk level and management is thinking about things at the risk level outside of, sorry, the ciso. And not that the CISO isn't, but that's just a different way I think of looking at it. Other things that you would particularly or typically see that rather, you know, assessment against a recognized framework. You've got NIST, CSF, we've got 2.0 coming. That's going to have a, that has a govern piece of it. It's really focused on the board. There might be top risks to the organization. Again, nothing that's really out of the ordinary, but I think being thoughtful about curating the right information, if you're on the director's seat, asking the CISO what they think is helpful and constantly evolving what that reporting looks like.

A (10:26)

Yeah, that tension between technical detail and strategic and business relevance definitely seems to be a recurring challenge, which I think brings me to my next question. I'd love your take on and, and that's about how boards should be thinking about director level cyber expertise. I mean, is it Realistic or even necessary for boards to have a cyber expert.

D (10:47)

Great question again, and this is one where the conversation has been all over the map. So back in 2022, there was a bit of a scramble when the SEC had proposed including disclosure of cyber expertise on the board. And there was a revisiting of, of skills matrices and proxies and oh, does this person actually have cyber experience or not? And so we saw numbers dip dramatically. This conversation also still ongoing, even as you know, as soon as, you know, last week I was having a conversation about this with an audit committee. It just depends. It depends on your company's risk profile, the industry, this, the strategic direction of the organization. It may very well make sense for you to have a former CISO or CIO cto, someone with that executive technical experience on your board. I still think it's important that they have a broad business acumen and are not so narrowly focused on one specific area. I think that continues to be defense of the argument for a cyber expert on the board. But I see it happening. Not, not a lot. But I do see companies adding some of those executives. I still think even if you do, the board has a fiduciary duty to understand the topics they're overseeing. And so there's a fundamental question of how are we upskilling? So some of that is from the CISO and through the education they're providing through their recurring board materials and maybe annual deep dives. Part of it is accessing other third party advisors that can help the board think through specific incidents or events as well as just broad education. There's conferences, there's certifications, there's so many other things that, that they can do as well. But I think there are different tools in the tool belt.

A (12:35)

Yeah, absolutely. And a lot of it does come down to your organization and from the board itself. You know, knowing what, not necessarily what questions to ask, but how you ask them, what your, your ultimate, ultimate objective is and what you're trying to, to glean from the conversations you're having with the CISO and other internal members of management, as you mentioned before.

D (12:55)

Yes, as well, because it's important not just to know what the right questions are, because any of us could go and ask what questions should I be asking, but it's important that you have the foundational context in which to challenge the response you get and that sort of thing. So it's just as it is probably for you or I, we have to continuously upskill ourselves on these topics in which we are not trained professionals.

A (13:21)

So absolutely well, shifting gears slightly, let's talk about when a cyber incident actually happens, because as we all know, as the other experts like to say, it's not a matter of if, but when. So what could cyber incidents readiness look like at the board level? What should directors be doing right now before an incident to make sure they're prepared to respond effectively?

D (13:48)

Well, the good news here is that we know boards and management teams are getting the memo when it comes to testing their resiliency and their readiness plans. Our annual corporate director survey this year highlighted that 81% of directors said their companies are performing tabletop exercises when it comes to cyber. So that's great news, but, you know, I sort of sound like the bearer of bad news with everything I answer here. It's one thing. There, you know, are lots of other actions that the board should be taking, even on a quarterly basis in their conversation with the ciso. But also with broader. The broader management team is understanding, has management identified the critical and interdependent systems and processes, what actions would need to be taken if any of those were disrupted? What is the communication plan? All of these various things are areas that the board is going to want to get comfortable with and not just when they're going through a tabletop incident. Making sure you, again, you've got that document tested plan that you know, particularly now post SEC disclosure effectiveness, that there is a process and a team if an event happens, not just that your operational side can get up to business, get back to business, but also that you have your disclosure and your breach notification process underway and your materiality evaluation and all of that good stuff. So looking at that, understanding that and testing that too, is hugely helpful.

A (15:18)

That's great. And that, though, is harder to do when the threat landscape keeps shifting. So I want to talk a little bit about what's next. Where do you see the next wave of cyber risk coming from? Whether it's AI, geopolitical tensions, supply chain vulnerabilities, how should boards be preparing for a vast amount of change on the horizon?

D (15:44)

Right. And I was going to say there's probably something that you and I don't even know about. That's the.

A (15:49)

Oh, there definitely is.

D (15:51)

As a former risk professional, I can say there's always something to talk about here. You know, in terms of the conversations that we're having, definitely AI is coming up quite a bit in terms of. Yes. The rest also the strategic and opportunity side of it. But a lot around the risk third party continues. This is something that's been around the last several Years, I think, continues to become top of mind for directors and for management teams as you think about not just who your third parties are, but how are they using their data, your data, how are they using AI with your data? I mean, there's just so many scenarios to work through there. And that's not just an IT issue. That's legal, that's cross boss, other things, supply chain, certainly with, you know, the events of the last couple of years, supply chain is top of mind. And to me, the place the board can start there again, not needing to be the expert on all things risk or technology, is ask your ciso, ask other members. What are we not talking about? What's not showing up on the risk radar right now? How do we think about what's around the the corner? If it's AI, if it's quantum computing, what is going to be the thing that we need to be focused on and how are we prepared for when said risk starts to materialize?

A (17:13)

If the board wanted to do one thing differently or take one concrete step over the next year to strengthen their cyber oversight, what would you recommend?

D (17:24)

I'm going to sound like a broken record, although I don't think I've mentioned it that many times. Education upskilling. There's some other things too, that I would talk about. But even again, going back to our corporate director, survey directors have told us they know that there are areas and one area that they feel that they could contribute more to overall board effectiveness in their role is by upskilling themselves. And again, if you think about all of the topics that are headed their way, broad cyber, but also quantum AI and some others seeking out education programs within the organization through your ciso, through your cto, cio, but also externally, to round out their own knowledge is going to be huge. And it's nothing new. And I don't think it's particularly hard. I know everyone has demands on their time, but getting that education is going to be a big piece of it. And I'm going to add on not just one thing, I'm going to give two your relationship as a board. Think about how you're investing in your relationship with your ciso. And when I say ciso, it might be also your CIO or your cto, depending on the reporting structure. But are you meeting with them outside of regularly scheduled board or audit committee meetings? I think of it similar to how I would think about a CAE or maybe external audit partner. You want to be able to pick up the phone and ask your CISO anything. I was with a group of CISOs yesterday, in fact, and many of them were describing the relationship that they have with their audit committee chair as one of we see an event in the news, we pick up the phone, we call the chair, we talk about it, we talk about what we're doing. So you want to have that direct line that is not just limited to your quarterly in person meetings. So relationships and education.

A (19:15)

Love that. And I want to pull on a thread that you hinted at before and that's about how broader parts of the organization are getting involved in cyber readiness and response, not just the CISO's office. What are you seeing there and what kinds of questions should directors be asking to ensure that this type of cross functional engagement is happening?

D (19:37)

Absolutely. And this is again something that has come up in conversation with CISOs is that cyber is not just an IT issue, AI is not just an IT issue. There's a big piece of it that sits with technology, with security, but it is a cross functional risk and cross functional responsibility to manage. So if I think about some of the different stakeholders, the CFO and probably your corporate secretary or gc, maybe ir, what do our disclosures look like? Are they investor grade? Could we provide more information there? You know, internal audit. How are we thinking about cyber as part of the annual audit plan and not just the SOX related financial reporting controls? How are we thinking about looking at different areas of cyber risk? Thinking about AI and you know, going even into the incident response program. Are they looking at that? Are they testing how often that's updated and tested and all that stuff. And then I think tying it back to the business unit level, asking business unit leaders or whatever the structure of a company looks like. How are you thinking about cyber risk in each of your lines of business and your products and your services and your relationships with your third party vendors? How are you thinking about it? And then maybe back to the GC or to your contracting group, whoever is working on that Procurement. That's the word I was looking for here. Procurement group. How are they performing due diligence around cyber and controls and expectations when contracting with third parties. So it really is, I mean that's just a short sample and you can see it really does cross the business in terms of where we need to be thinking about connecting the dots with risk in the board.

A (21:24)

That's great. Well, before you wrap up, any final thoughts to leave with our audience of of directors and executives who are really just trying to stay ahead in this fast moving and slightly upside down warlord right now?

D (21:37)

Absolutely. I would Start with, we've made great strides in the director community in terms of enhancing or enhancing cyber oversight practices and that is wonderful. But we all know it's a constantly changing game here and to stay ahead of it just requires diligence and awareness and the ability and desire to stay curious here. So keep going there. There's more to go here.

A (22:15)

Well, let's dive into the questions we ask all of our guests on the show. Sure. The first is, what do you think will be the biggest difference between boardrooms today and 10 years from now?

D (22:24)

This is going to be the same answer that everyone. I think it's what's the biggest difference between blank and in 10 years is technology. Who knows what that's going to look like in the boardroom and how, how technologies use and appearance and companies are, is going to have that sort of knock on effect in the boardroom. But I, I'm going to say technology.

A (22:49)

What was the last thing you read, watched or listened to that made you think about governance in a new light?

D (22:55)

So I'm embarrassed to say that I just saw the movie Wall street for the first time a couple of weeks ago and I've been listening to a podcast on private equity and they kept referring to it. I thought maybe it's time I finally watched this. And wow, if there aren't a lot of, I mean, we now have the benefit of hindsight and saying this is why all these things are, regulations are in place. But you know, in terms of insider trading and gatekeeping and risks and incentives, all of that in there. So I, it's truly now to put my corporate governance hat on and watch it and think there's all these things happening that are wrong. So it was entertaining.

A (23:35)

Yeah, absolutely. And what's the private equity podcast, if you don't mind me asking?

D (23:39)

I think it's the stuff you should know. There was a webcast, there was a podcast rather just about PE and the origins of pe and I just found it really interesting and entertaining.

A (23:49)

Cool. Love that. Well, last but not least, what is your current passion project?

D (23:53)

So this is a random one. I'm the board of trustees at my local library and we are currently putting forth a more sustainable funding mechanism for our library and we're putting it out for a public vote in a few months. I've been doing a lot of work around that effort and public awareness and, and all of that.

C (24:13)

Very cool.

A (24:15)

Yeah. Great work. All right, well, thank you so much, Katie, for joining us on the show today.

D (24:20)

Always a pleasure. Thanks, Megan.

C (24:29)

Well, Megan, thank you so much for that interview. She points out the importance of ensuring that you've got good education and good resources available to leaders that are trying to make good decisions around cyber strategy. And I feel like I need to put in a shameless plug here where if you're a diligent customer and you're using our Diligent One platform, you have access to all of our certification programs, including our cyber risk and strategy certification that is designed for board members and senior leadership teams, as well as another program on enterprise risk management. And both of those programs are just really great at helping you to get that solid grounding of what do you need to know, what to make sure that you've got the right investments in place. You're asking the right questions, you're keeping your eye on the right metrics. You're really kind of providing the right level of oversight on these important issues.

A (25:21)

It's again, to me, this idea like I am first of all, awesome to see that boards 80%, whatever the statistic was, doing tabletop exercises, Holy cow, that feels night and day to even where we were five years ago. But agreed, that will only take you so far. And it just continues for, at least in my mind, bring up questions about nimbleness and responsiveness and the need for flexibility and adaptivity just across organizations in a way that has never taken place before. And that starts at the board level.

C (26:01)

For sure. I mean, one of the things I will say is, I know when PwC does their research, they're very thorough, but I have a feeling most of those respondents were some of the larger public companies. And so you would expect 81% of them to do regular tabletop exercises. The insidious thing is that those that are most at risk tend not to be the big guys, right? They tend to be smaller companies, a lot of private companies, a lot of nonprofit organizations, state and local governments, you know, school districts. These poor organizations are at such risk for things like ransomware, for things like, you know, you know, little, little attacks that come into their system because their system doesn't have the latest technology installed or hasn't been patched in forever, isn't using supported software. It's that kind of stuff, that basic stuff that we all have to take responsibility for as individual users of systems. And often, like we go, I'll do that later, you know, how many times have you said, oh, I don't want to update my iPhone right now, you know, because I don't have time for that. And it's, you know, 20% battery. I'll I'll get to that, you know, tomorrow. And then tomorrow becomes a week, and then it becomes two weeks. And the truth is you're basically just kind of inviting bad things to happen because those patches always come with the latest security provisions in place. That's one of the main reasons that you install them, is because you want to have the latest and greatest security in place. You know, it's even just little things like that. We need to make sure that we're, we're doing all the things. And you know, it's not just the big companies that are at risk. In fact, I really think these days, because it's so easy to mount an attack, it's those that don't have the greatest security in place that are most at risk.

A (27:39)

It brings to mind a recent issue that I heard about that's, you know, unrelated to corporate boards, but I think an example of how far this has just infiltrated our day to day lives. A podcaster slash social media influencer that I follow completely unrelated to work or corporate governance or any of the things we do in our day job, received an email from a fairly innocuous email address stating to be from an agent that works with a very, very popular comedian. And that comedian was a fan of this influencer's work and would love to have her appear on this person's podcast. Let's set up a time to connect. Would you love to have that conversation? Yes. Okay, click my, you know, my calendly scheduler link here and let's get that set up. She does that. Turns out she just handed over her entire computer and infrastructure to a malicious actor. 100% something I would fall for if I was in that scenario.

C (28:45)

Well, totally. I mean, I think that's the thing, right? Like that's, that's a perfect example, Megan, of how, first of all, I think a lot of the bad actors have gotten really smart at understanding a couple of important things. One is what would motivate us to click on a link, right? So what would we find intriguing enough that we would want to download something or click on something? They make it really enticing. That one obviously was a successful one, I think, because I spend a lot of time talking about cybersecurity, Megan. I probably get about 15 of these a day. And some of them, some of them are laughably, ridiculously awful. Like, I don't know if you've recently been getting the smishing. We've been getting a huge smishing campaign here in the US right now with numbers that come up on our cell phone, clearly not from within the US they're clearly foreign numbers telling us we have a citation with the Department of Motor Vehicles in our state, and if we don't pay it by Tuesday, they're going to impound our cars. And it's really funny. It's like, yeah, last time I checked, I don't think the Pennsylvania Department of Motor Vehicles was using a number that's based in Niger. So I'm not sure that this is true. But, I mean, so some of them are laughably dumb. But I get a lot that look really, really real. And I've just, I guess I've gotten to the level of being paranoid enough. Now I pretty much don't download or click on anything until I have validated that it was sent by the person who said they sent it. And so, you know, quite honestly, what that means is someone I don't already know, I don't click on anything that they send me. And so that's just something to know. Like it's, you know, I might be sounding like I need to, you know, walk around with a tinfoil hat on, but honestly, it pays to be a little paranoid because it's so easy to get hacked. Well, so hopefully all of you are celebrating your Cybersecurity Awareness month. Megan and I talking about doom and gloom and all the bad things that can happen. Yeah, I do think they didn't choose October arbitrarily. Right. Because October is the month we generally associate with spooky things and scary things. And cyber risk is pretty scary. So, boo. Go get your cyber house in order. Well, Megan, that wraps up another episode of the Corporate Director Podcast, the voice of modern Governance. We'd like to say a few special thank yous, first and foremost to our cybersecurity expert, Katie hall from PwC podcast producers Kira Ciccarelli, Steve Clayton and Laura Klein, our sponsors, PwC, KPMG, Wilson Sonsini and Meridian Compensation Partners. And most especially, thank you to Diligent. If you like our show, please be sure to give us a rating on your podcast player of choice. Five stars only, please. You can also listen to our episodes and see more from the Diligent Institute by going to diligent.com resources. Thank you so much for listening.

B (31:35)

You've been listening to the Corporate Director Podcast. To ensure that you never miss an episode, subscribe to the show in your favorite podcast player. If you'd like to learn more about corporate governance and tools to help directors do their job better, visit www.digent.com. thank you so much for listening. Until next time.

A (32:00)

Sam.