The Board of directors has a fiduciary responsibility to protect their organisation against material risks that traditionally focus on profitability, reputation, and sustainability. However, the rapid digitisation of business processes mainly due to COVID-19, the convergence of IT/OT networks, and the surge of cyber-attacks by threat actors have added a new topic of interest, i.e., cybersecurity.
Cybercrime is projected to cost the world USD 6 trillion, with an estimated growth of 15% every year. The Australian Cybersecurity Centre reported a loss of USD 23 billion due to cybercrimes, with medium-sized businesses reporting an average loss of US $23736. Cybercrime is also the number 1 predicted future risk globally in AON’s recent Global Risk Management Survey.
The cyber threat landscape is fast evolving with the advancement of artificial intelligence (AI) and machine learning (ML) technologies leveraged by threat actors to weaponise their payloads effectively. In addition, access to attack tools on the dark web has led to the emergence of organised crime cartels. Unfortunately, the gaps to detect or block cyber-attacks has only made it worse for many organisations.
The regulations around the world are applying increased pressure to the Board and the leadership team to protect consumers and investors from cyber threats. Yet, 26% of the Board of directors acknowledged the lack of board time/attention on cybersecurity, whereas 66% of the respondents felt they didn’t have a clear picture of the company’s cybersecurity risks.
Board and leadership teams are proficient in dealing with most risks to businesses. However, cybersecurity is a complex matter which requires access to specialists with niche skills to navigate the rough seas. Too often, the messaging to board on cybersecurity is laced with proposals soliciting expensive investments in the latest technologies or a compliance-based approach expected to solve all the cyber problems. Unfortunately, the truth is that risk cannot be eliminated but only be managed within the organisation’s risk appetite. Many Board members and the executive team are losing sleep over a cyber-attack. Additionally, they are concerned about their ability to identify and manage risks, respond to an incident, and recover within acceptable timeframes. Businesses need access to trusted advisors who can give pragmatic advice on managing risks without getting distracted by the escalating hype of the threat landscape or numerous compliance frameworks.
High profile data breach incidents in Target, Equifax, and Sony Pictures are unfortunate examples in case studies on the implications of poor board governance on cybersecurity. On the contrary, a top-down approach by the Board and leadership team to manage cyber risks presents excellent opportunities to demonstrate trust to their clients, enhance reputation in the community and maintain profitability by mitigating risks that threaten business operations.
Let’s take a moment to identify a few red flags of bad governance in an organisation. Firstly, there is no top-down approach or management commitment to cybersecurity. Most of the decisions are left to the discretion of managers in the middle or lower ranks. Secondly, cybersecurity problems are only approached through a lens of technical solutions, leaving people and business goals out of the equation. Thirdly, the culture in the organisation perceives cybersecurity as an overhead cost and is seldom considered the last requirement in business initiatives. Lastly, the absence of a tested incident response plan often leads to reputation damage and crippled operations in the event of a cyber incident.
The Board of directors needs to adopt a risk-based approach to tackle cybersecurity. This journey begins by asking the right questions to your CISO or anyone else delegated to run the cybersecurity program. Let’s take explore some of these questions.
- Have we identified the cyber risks for our company and customers? Are we managing those risks effectively?
- Do we know the value of our data and how they are protected?
- Do we know where is our data stored?
- Do we know who has access to our systems?
- Do we have the capability to detect and respond to an incident swiftly? When did we last test the plan and findings?
Having a clear answer to these questions helps the Board prioritise efforts and investments required to protect the organisation’s “crown jewels” and demonstrates the intent for due care in mitigating cyber risks to the business.
Given the significance of cybercrimes on businesses, the Boards are educating themselves on the aspects of cybersecurity. While the Board can do a lot, here’s a basic starter kit to set the ball rolling in your organisation.
- Regularly include cybersecurity on the Board’s meeting agenda to discuss cyber risks and nurture a positive cybersecurity culture.
- Define and review the cyber risk appetite to ensure its alignment to the organisational goals.
- Sponsor independent third-party reviews of the organisation’s cyber maturity to identify underlying material gaps.
- Appoint a CISO or equivalent to oversee the protection of your organisation’s digital assets.
- Purchase cyber insurance to protect the organisation against significant cyber incidents.
Cybersecurity is not an IT issue but rather a strategic risk or opportunity to organisations that need to be effectively controlled by the Board to protect their consumers and investors.