Boards are under increasing pressure from regulators, clients and investors to safeguard data and protect against operational disruption. Tackling the complex, rapidly changing issues of cybersecurity effectively is, therefore, vital.
1. Good cybersecurity
Good cybersecurity starts with the board, so make sure members understand the risks involved, existing cyber-protection measures and the vulnerability level of the company before deciding on a course of action. Providing training for the board and the audit committee to gain oversight of the issues is a good place to begin.
2. Expert advice
Invest in expert advice and support to explain increasingly sophisticated potential threats and identify weak spots. Once this is done, it should be possible to build a robust security framework against internal and external attacks.
3. Clear security policy
Make sure your company has a clear security policy to protect personal data. The plan must meet the tough requirements of the EU’s General Protection Data Regulation, which came into force this year. In the event of an attack the plan must stand up to heavy regulatory scrutiny.
4. Specialist skills
Appoint a board member with cybersecurity experience or specialist technology skills to explain cyber-risks to the rest of the board. This makes for an informed, well-prepared board, including the chairman. It also helps lines of communication if one person is responsible.
5. Investor concerns
Deal with institutional investor concerns on cybersecurity promptly and efficiently. As investors step up engagement on the issue, they are asking more searching questions. The specialist board member responsible for security must be ready to provide information on the number of times the company has been breached or systems patched. Investors need assurance and are unlikely to put money into a company where there are doubts over cybersecurity.
6. Test the system
Test the system for procedure in a crisis. Run a range of simulated attacks to flag up the company’s level of resilience. Measuring performance will give an indication of robustness or vulnerability, and reveal what still needs to be done. It is best practice to model the cost of a cyber-attack.
7. Comply with guidance
Boards need to make sure they comply with guidance on post-breach disclosure procedure, issued by the US Securities and Exchange Commission earlier this year. In the event of an attack, businesses must have a security policy in place that enables them to make a quick and efficient assessment of risks, and disclose the breach to investors, the regulator and the public in a timely way.
8. Post-breach fallout
Directors need to prepare for the wider implications of a cyber-attack such as reputational and legal risks and damage and to what extent the operational side of the business is affected. Running through a post-attack, worst-case scenario can provide useful advance practice.
9. Risk management
Maintain ongoing risk management and update regularly. Don’t allow complacency to set in once a cybersecurity plan is in place.
10. Be prepared
Be a savvy board, and not one that waits for an attack to happen before taking action.
This article has been produced by Board Agenda in collaboration with Mazars, a supporter of Board Agenda.