Boards have had to pay closer attention to cyber-security as attacks become increasingly complex and more frequent.
Technological expertise around the boardroom table, however, has not advanced at the same rate and therefore does not match the sophistication of cyber-crime.
Hackers are more likely to be millennials, yet boardrooms tend to be populated with older, non-tech-savvy individuals whose careers predate the internet and who consider cyber-security to be arcane. With cyber-crime costing industry billions of dollars, it is time that Generation Y was given a seat at the top table.
According to research by Ortus, the average age of FTSE 100 board members in 2013 was 57, with one in six board members aged 65 or over. In Australia, the technology sub-committees of the largest ASX 200 companies in 2014 comprised males with an average age of 60 to 69, without tech sector experience or even any specific technical training. Cyber-security, it would seem, is beyond most board directors’ personal experience.
Traditionally, cyber-security has fallen under the remit of the chief technology officer (CTO) and chief information security officer (CISO), but it is now considered a direct responsibility of the board of directors and the audit committee in particular.
There is a good reason for this. Cyber-crime is one of the top threats facing businesses. Data can be destroyed (as in the case of Sony Pictures), intellectual property stolen to gain a competitive edge, customer data compromised, and information that companies would rather remain secret can be used to shame and embarrass companies and individuals.
Reputational damage can be the biggest cost and, once consumer trust is lost, it is very difficult to win back. Non-executive directors and other board members, therefore, need to fully understand the business implications of cyber-crime.
The first thing to grasp is that not all cyber-crime is committed by outside criminals. Disgruntled employees can cause as much damage as external hackers, as in the case of Morgan Stanley, which suffered a security breach when an employee posted information about 900 of its wealthy clients online.
The board should consider whether strict controls are in place to prevent client data and passwords getting into the wrong hands. When an employee leaves, organisations should change their passwords and clients should be advised to change theirs.
Non-executive directors could also pose unforeseen problems. Often they are privy to highly confidential information, but as they mainly work off-site the information stored on their mobile devices might be not as strongly protected as it should be.
The same is true of third-party vendors and service providers. Third-party vendors’ usernames and passwords have been used to access a company’s network and cause chaos, as was the case in the Home Depot security breach in the US. The liabilities that third-party providers and company suppliers bring should be analysed in the assessment of an organisation’s risk profile.
The financial implications of losing customer information are huge and third-party assurance is set to grow as companies seek to protect themselves against lawsuits for loss of data or revenue.
Think how costly it would be to eBay if the 145m users who had their personal records hacked in 2014 brought a class action against the company. The security breach on Sony’s PlayStation network in 2011 is estimated to have cost the company $170m, and that was for just 12m account holders.
An ICSA guidance note places cyber-crime firmly at the top of the UK boardroom agenda. The report identifies four key challenges for board members:
- Understand cyber-risks particular to the company;
- Allocate a budget to cyber-crime prevention;
- Focus on building resilience to attacks that get through the system, rather than preventing all attacks;
- Identify a director responsible for the oversight of the company’s cyber-crime strategy.
Appointing a non-executive director to lead a special cyber-risk task force is a good idea for high-risk companies.
Senior security and technology experts within the business should report into a non-executive so that the board has one formally identified place to go with any technology and information concerns. This would also ensure that cyber-risk remains firmly on the board’s radar.
Boards need to be thinking about appointing technologically savvy non-executives. Not only will their direct experience be of benefit, their ability to help other board members understand and assess cyber-risks is priceless in terms of striking a balance between digital innovation and risk avoidance.
The digital age is here. Boards need to ensure that they are properly equipped to meet it.
The big questions
The top-ten questions that non-executives ought to be asking themselves about cyber-security:
- How confident are you that your company’s most important information is being properly managed and is safe from cyber-threats?
- Do you know your company’s specific cyber-risks and do they appear on the company’s risk register?
- Are budgets reviewed and risk assessment carried out on a regular enough basis?
- Do you have a full and accurate picture of the impact on your company’s reputation, share price or future survival if sensitive internal, or customer, information were to be lost or stolen?
- Is the board receiving reports on breaches and IT risks regularly enough? For example, do you know who may be targeting your company, their methods and their motivations?
- What would the impact on the business be if online services were disrupted for a short or sustained period?
- Do you know your company’s cyber policies and procedures, and are all employees made fully aware of cyber-risk? Is staff training provided in digital do’s and don’ts?
- Could you be a key target? Is the confidential information that you hold adequately protected?
- How could cyber-security insurance limit your liability?
Peter Swabey is policy and research director at ICSA, the professional body responsible for governance and the qualifying body for chartered secretaries.