Cyber security risk can be levied at the entire company but ultimately it is the board of directors who bear the greatest responsibility. Board of Directors are under increasing spotlight for their input in how this critical business issue is prioritised, especially in the face of the mounting cost of cyber- attacks. After all, according to a 2018 report from the Centre for Strategic and International Studies (CSIS), nearly 1% of global GDP or $600 billion is lost to cybercrime each year. So, how can boards better strengthen their cyber security posture?
ESSENTIAL CYBER SECURITY CONSIDERATIONS FOR THE BOARD OF DIRECTORS
In order to strengthen your board’s cyber security posture, certain considerations should be taken into account. It is mission critical to reiterate to your board just why it is so important to assess essential cyber security criteria and why a cyber security skills shortage among the board can spell grave trouble.
Here are 5 key elements to consider to fine tune cyber security posture:
GOVERNANCE
A key take away from the EY Cybersecurity Board Summit held last year was that the board’s role is not cyber security risk management but ‘cyber security risk oversight’.
Boards need to consciously define their approach to overseeing cyber security risk. They also need to link together the management, business unit leaders as well as IT and security leaders to better govern this risk.
Security can be perceived as a huge grey area for many boards of directors as IT skills have been found to be lacking. In order to govern better, boards should also address their talent gaps when it comes to cyber security. The Harvard Business Review counsel that for optimal security businesses in ‘strategic mode should have an IT oversight committee chaired by an IT expert’.
PRACTICES
The dynamism of the cyber environment continues to keep board members on their toes. What practices that have worked 6 months previously may not work for the cyber incidents of today.
PWC recommend 7 key areas to engage the board’s cyber focus:
- Have an oversight approach to this issue and work alongside a cyber expert
- Understand cyber as an ‘enterprise-wide business issue’
- Understand fully legal and regulatory requirements
- Discuss the competence of the company cyber strategy plan
- Engage in discussions with management about ‘cyber risk appetite’
- Stay up to date with all the right information concerning the programmes put in place and discuss regularly during board meetings
- Monitor cyber resilience in the boardroom at measured intervals
POLICIES
The board need to be kept informed of company-wide policies regarding internal controls, external activities and most importantly training. Especially within the board room, policies regarding communicating highly confidential information to each member should be clear. Introducing tools like secure board portals can allow board members to do so efficiently and securely via a digital platform.
PROCEDURES
What happens in the case of disaster? How can boards prime themselves and the organisation to respond nimbly to a cyber-attack?
Part two of this blog series will focus on the crisis management procedures that boards oversee to cyber breaches before, during and after the event. However, in a nutshell, here are some key questions that boards should be examining according to cyber experts:
- If the company does not have a cyber incident plan, why not? What is the company’s timeline to develop and test one?
- When is the board notified of cyber breaches?
- Should the board participate in or observe table top exercises to better understand the company response plan?
- Does the plan take into consideration preincident preparedness, actions during an incident and post-incident recovery efforts?
Part II of this content series will examine more closely how imperative cyber incident procedures are.
TALENT SHORTAGES
Remaining agile in the face of cyber attacks means that hiring and nurturing talent is essential, not just on the board but throughout the organisation. A recent 2019 survey by CSIS found that “82% of employers report a shortage of cybersecurity skills, while 71% believe that this talent gap causes direct and measurable damage to their organisations”. By 2022, it is anticipated that there will be a global talent shortage in 1.8 million positions.
So where does this leave the board of directors? While it is obvious that a board’s oversight responsibility considers risk governance, ethics and corporate responsibility, talent retention and especially that of cyber security talent can be overlooked.
According to Deloitte to oversee potential talent risk boards need to take the following steps :
- Review talent related risks
- Develop measurable outcomes
- Assign the responsibility
- Monitor the talent pipeline
- Align the talent and business strategy
READYING THE BOARD FOR A STRONGER CYBER SECURITY POSTURE:
According to a Spencer Stuart survey of audit committee members, ‘only 21% of directors agree their company has cybersecurity risk well under control’ while ‘66% of senior IT executives’ report to the board only “occasionally”.
While it is common knowledge that the board will have to superintend the fallout of a cyber-attack, there are still large instances where boards are unaware of basic but critical information. In order to better steer the board towards a stronger cyber posture, EY in their 2019 Centre for Board Matters, noted that ‘one of the most important things a board can do is set the proper tone and align with management on the appropriate risk appetite related to cybersecurity’. It is therefore very important than between discussions of risk management and strategy boards are informed by the latest information.
Directors need to forcibly put in place a system of reporting and training from management teams and especially those groups involved with cyber security. At a time of unprecedented technological change, managing digital risk is still a collective responsibility.
4 KEY WAYS DIRECTORS CAN IMPROVE THEIR KNOWLEDGE OF CYBERSECURITY
- Discuss in depth about the company’s risk posture: PWC recommend discussing the following elements to kick of a much-needed discussion; the company’s cyber strategy, the types of cyber threats facing the company, the most important digital assets within the company, the results of the most recent risk assessment and any planned mitigation actions.
- Attend external programs: Attending conferences on cyber risk oversight can aid directors to learn about new developments and best practice for board members.
- Discuss regularly with management: While this is a no brainer, it is critical that boards interact with management on their own learnings about cyber security.
- Exchange regularly with third parties: PWC note that for boards to really enhance their knowledge of cybersecurity they should invite additional opinions to improve their knowledge of all things cyber. For example, external consultants can update the board with their periodic assessments of the organisation’s cyber security risk. According to an U.K. Cyber Security Breaches government survey published this year, ‘three-in five businesses (59%) have actively sought information or guidance on cyber security from outside their organisations in the past year.
PROCEDURE AND REVIEWING MANAGEMENT’S RESPONSE PLAN
An essential activity boards need to undertake is to review management’s response plan in the event of a breach. This plan should contain information that outlines who are the key decision makers and what actions should be undertaken.
Here are some key questions to consider to prime your board procedure:
QUESTIONS TO SHAPE BOARD PROCEDURE
- What are the most valuable assets within the enterprise?
- Is there an existing enterprise-wide risk management framework in place? (The question of is it adequately staffed and budged for is also crucial in this instance)
- What are potential vulnerabilities within the company in terms of its network? (For example, third party access).
- How are cyber-attacks uncovered in real time?
- What is the company’s response plan in the event of a cyber-attack? How often is the response plan tested?
- What relationships does the company have with third parties in order to respond efficiently to a breach? How can these relationships be developed further?
- Has the board completed a mock cyber security incident? If not consider completing one to aid cyber security procedure. This should be done regularly and encourage key stakeholders to get involved.
- Consider creating a team within the organisation who are responsible for the rapid response to a cyber incident.
COMMUNICATION PROCEDURES
Also critical after a cyber breech is the public announcement to stakeholders. The board need to have in place a communication plan that will breakdown when and how the clients are notified as well as staff and external bodies. The board also need to oversee the plan of when the police are notified. In more serious instances it is recommended also that the board utilise a forensic digital team to review the evidence of the breech. Therefore, the board need to also determine if this team will report to management or to the board.
SECURITY, NOT COMPROMISES
One critical step for boards to take to ensure higher security protection involves securing the highly confidential information they have at their fingertips. By adopting a board portal, like DiliTrust, board members can trust that their data (stored locally on servers in Europe, the Middle East and Canada), is GDRP compliant and ISO 27001 certified. To find out more information about how secure the DiliTrust Exec board portal is, please contact a member of our team today.
