Deloitte recently completed an analysis of FTSE 100 companies’ most recent annual reports, ending September 2016, to review company disclosures concerning cybersecurity. The results show that top companies are trying to reassure investors that they are taking these issues seriously.
These firms are revealing many details about their approach to this risk and being transparent about how such risks might impact on them. There was near consensus that cyber is important to discuss, with 87% identifying it as a principal risk.
However, in a surprising statistic, just 5% disclose in their annual report that a board member has expertise in cybersecurity or technology. Whilst it is likely that many more of these boards do have this experience, or access to it, many simply did not disclose this time.
Now the precedent to disclose has been set by these outlying companies, we’d expect that the next set of reports will have a dramatically increased rate of expertise revealed. As the number climbs from an anomaly to the norm, it will be fascinating to see what happens to those boards that do not have access to this capability and, in the meantime, it raises a number of questions.
Will we see increasing pressure from investors to ensure boards have sufficient skills to navigate potentially treacherous waters of cybersecurity? Should a significant cybersecurity incident occur, will the ability of the board, with oversight of management, be called into question? The only answer to these questions is “yes”.
To date, it has been a goal of the unitary board for all directors to decide company policy by consensus. A diverse set of backgrounds and experience reduce the risk of “group think” and allow each member to bring their own insight and experience to the discussion. But there is a risk, if a board member is seen as the expert on the topic, that other members may attempt to abdicate responsibility to them.
There is clearly a balance to be struck here to ensure the entire board can contribute, while recognising the different strengths and experiences that each member brings. Non-executives may have some knowledge in cyber, but without formal training or tangible experience, it is difficult to get to the nub of the issue.
A key principle of corporate governance is that the board needs sufficient relevant skills and understanding to review and challenge management performance. It is unrealistic to expect the board to have representatives with deep experience on every topic, so there is a judgement to make about which areas need to shine from the CVs of the non-executives, and which can be covered with quick wit and sharp minds.
Cybersecurity has a myriad of complex terminologies that can seem impenetrable; those presenting to the board might hide behind that jargon to avoid difficult questions. Even with that dense industry language, someone with a background in a range of fields can probe effectively. Digital or deep technology skills can cut through buzzwords, as can mature risk skills, such as credit or market risk. Members from a senior intelligence or military background often are credible here.
Our analysis showed that 10% of the FTSE 100 disclose that they have trained their board members on cybersecurity. However, it is likely that the number getting this training is actually higher and we will start to see more firms disclose the nature of training across a number of technical issues.
At the very least, this provides comfort to investors. If it can be demonstrated that generalist board members are being kept current on the issues du jour, perhaps this means boards will not need to add members with specific expertise.
Given the nature of the information they need to carry out their duties, board members need to know how to protect their systems and the confidential information they handle.
The horror stories of highly sensitive, and potentially market-moving, information being sent unencrypted to cloud-based email accounts designed for mass market retail use must be left in the past.
Even if you are a non-executive without cyber experience, your computer needs to be updated and protected. It is possible to do this yourself, or ensure the company you oversee provides you a secure way to operate. Either way, the responsibility is down to the individual. For companies, too, there are still some things to learn about providing these environments. Having a different tablet for each board you sit on, for example, is as much a risk to those companies as it is impractical for the non-executive.
Cyber-risks are rising and investors, regulators and customers continue to care about these issues. Boards must be able to understand and effectively challenge these topics.
There are a number of ways for them to do this. Ensuring the board can demonstrate their understanding and capability will be key. The largest organisations have defences at scale, and have deep pockets, allowing them to weather these cybersecurity events. It will be interesting to watch how both the big and medium-sized firms mitigate the cyber-threat at board level.
There may be much to learn about how best to do this, but it may be the object lessons of the mid-tier teaching the big firms the right answers, through the painful and destructive lessons learned.
The pace of change is accelerating and vital decisions need to be made at senior levels regarding digital business models, artificial intelligence/machine learning and big data.
What other risks are happening now, on the boards’ watch, on which they haven’t already been briefed? Can the board really carry out its duties effectively without understanding the core of these critical changes to our world? And what other topics do you need insight into to be effective?
For boards themselves, it is prudent to be horizon planning, and not just on cyber.
Stephen Bonner is a partner, FS Cyber Risk at Deloitte.