As international cybercrime becomes big business and a primary corporate risk, boards are grappling with understanding its complexities, and ensuring robust defences are in place against hackers.
The increasing number of high-profile breaches across industries in the past few years has pushed the issue up the agenda, making boards realise it is a matter of when, not if, a cyber-attack will take place. Last year, hackers breached data systems at Equifax, the US credit-checking group, and stole the personal data of millions of citizens, which triggered regulatory and criminal investigations on both sides of the Atlantic and a pile of lawsuits.
More recently, and on a bigger scale, WannaCry cyber-attacks, thought to be part of a hostile state attack, disabled the operations of thousands of companies in about 150 countries, including the UK’s National Health Service and FedEx in the US. In January this year, revelations about security flaws in computer chips made by Intel, ARM and AMD, which could make companies vulnerable to attacks by hackers, raised boardroom anxiety further.
As breaches continue, cybersecurity has become one of the largest concerns for boards, audit committees and investors.
Clear policy and procedure
At a recent meeting of CACID—a joint initiative between Mazars and institutional investors—Nicolas Quairel, a Mazars partner who leads the cybercrime security team, warned that organisations need to have a clear policy and procedure in place and go further.
“Boards need to start from the critical IT assets and understand how they could be affected by various cyber-threats,” said Quairel. This step is crucial in light of new data protection rules (General Data Protection Regulation, or GDPR) which comes into force in May.
“You need to have a road map in place, to test the system and procedure for a crisis, and be compliant for the end of May,” explained Quairel. It is essential for boards to show the regulator that effective protection is in place and to demonstrate the steps taken to achieve it, he added.
Complying with regulation and guidance
The new regulation is certainly sharpening minds. GDPR requires companies to make sure the personal data of EU citizens and residents is effectively protected and secure. The tough EU reforms, which aim to establish Europe-wide standards on cybersecurity, will shake up the way organisations protect data.
Surveys have indicated that many companies are still unprepared for the tougher rules on the protection and storage of personal data that GDPR requires. One of the mistakes boards often make about cybersecurity threat is to believe the risk “is only IT-related” rather than a business risk, according to Quairel. He believes that some support from experts to help understand potential threats and their negative impact on business is important.
Make sure the board has enough expertise
Mazars, which provides training to boards and audit committee members to assess their cyber-risk and strengthen security and resilience against external and internal attacks, believes that good cybersecurity starts with the board. In addition to understanding the main issues concerning cybersecurity and adopting effective risk management, directors also need to look at the wider implications such as reputational, legal and supply-chain risks.
Once all this is in place, “it is essential to keep reviewing them,” said Quairel. Best practice approaches include boards appointing a member with specialist technology or cybersecurity experience, able to understand the complexities and vulnerability of the company and explain to the rest of the board, audit and risk committees the security and data protection measures needed.
Clear, shared understanding on the cyber-protection measures in place enables boards to provide informed answers to investors’ questions and indicate a company’s level of resilience against attack.
Smaller companies, which might be more constrained by costs than their bigger counterparts, may not be able to rise to a board specialist and should bring in external cyber-risk advisors, said one non-executive director at the forum. Waiting until “someone kicks the tyres” before investing in training or specialists is no longer an option.
Check disclosure controls and procedures are up to task
Boards also need to make sure they have a clear post-breach plan of action and that regulatory reporting of data breaches follows the right procedure to meet the new GDPR requirements. New guidance from the US Securities and Exchange Commission (SEC), brought out in February, on the disclosure of cyber-attacks will be helpful for companies scrambling to meet GDPR rules too. The SEC urged businesses to have policies in place that allow them to assess cybersecurity risks efficiently and quickly and to ensure proper procedure is followed in disclosing a breach to investors, the regulator and the public in a timely way.
“The guidance framework is a deep dive into the controls in place on data protection, and its requirements need to be well understood,” said Quairel. “Companies need to make sure their disclosure controls and procedures are up to task.” He believes other regulators outside the US will adopt similar guidance in the near future.
Deal with investor concerns
The new regulations and guidance on both sides of the Atlantic are ramping up investor engagement and scrutiny over the measures and procedures companies have set up to tackle cyber-risk and data protection. They are increasingly asking sharp questions and expect boards to give informed, detailed answers that provide assurance.
The barrage of questions boards are likely to face include whether a company has been breached, if simulation attacks have been run, and the number of gateways into the company data system that external users are able to access. Investors may also ask the number of times business systems have been patched. Not surprisingly, investors want to know who on the board is responsible for cybersecurity and, when an attack occurs, to determine what the damage is, and be assured appropriate business continuity arrangements are in place.
A comparison with peers on cyber-risk exposure is also valuable for companies and investors as attacks are likely to hit the weakest. Institutional investors are also increasingly looking for more engagement with audit committee chairmen over cyber-risk concerns, it emerged at the CACID meeting. One big institutional investor present at the meeting said that if they do not have enough confidence about the level of cybersecurity resilience, they will not invest in the company.
At a time when investors, regulators and customers are calling for more clarity and assurance on boards’ oversight of cyber-risks, directors need to make certain that they understand the issues involved and take effective action. The current challenging and complex environment of organised cybercrime, malicious software and dark-web activity means many boards will need to raise the bar to protect personal data and to meet the requirements of all stakeholders in the near future.
This article has been prepared in collaboration with Mazars, a supporter of Board Agenda.