Skip to content

8 February, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • CEO legacy

      Long-standing CEOs can leave a legacy of trouble for boards

      Performance and productivity can suffer after a long-tenured chief executive leaves the company, researchers find.

    • cost-of-living crisis Aviva highlights cost-of-living crisis

      Fund calls for ‘mindful’ pay ratios, showing executive pay is now firmly an issue for...

    • diversity talent pipeline News round-up: this week in governance

      Target diversity early; directors job market 'ossified'; US extends duty of oversight; 'kindness bias' hinders...

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • mission zero

      Can the UK achieve net zero by 2050?

      To gain economic benefits, UK businesses will need resilient and flexible supply chains to provide...

    • governance recession

      What use is governance in a recession?

      Companies seeking competitive advantage in uncertain times will find that effective governance allows much sharper...

    • climate litigation

      Climate litigation: how 2022 will shape 2023

      This past year saw a rise in climate litigation, with a focus on the commercial...

  • Comment
      • View all
    • A week of business moving to the centre of human rights

      A week of events signals the initiatives underway to have companies play a central role...

    • audit reform IIA Why we need audit reform right now

      There is an "urgent need" for reform to the audit landscape as well as internal...

    • climate change energy crisis Sustainability and climate change: the other energy crisis

      The world is addicted to cheap energy. We need to admit this and have the...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • Board priorities 2023 Board priorities 2023: tact, trust and transparency

      We asked key figures what would help boards this year. The answers ranged from 'smarter...

    • Group of investors/shareholders in glass building Climate issues likely to figure prominently at next year’s AGMs

      A recent webinar heard that say-on-climate voting is expected to rise, while ESG remains a...

    • NEDs role NEDs ‘needed more than ever’ in times of uncertainty

      The non-executive director’s role is to both challenge and listen to management, agreed the panel...

  • Careers
      • View all
      • Selection
      • Board Moves
    • CEO legacy Long-standing CEOs can leave a legacy of trouble for boards

      Performance and productivity can suffer after a long-tenured chief executive leaves the company, researchers find.

    • diversity talent pipeline News round-up: this week in governance

      Target diversity early; directors job market 'ossified'; US extends duty of oversight; 'kindness bias' hinders...

    • NED recruitment News round-up: this week in governance

      Your country needs NEDs; governance does not compute; financial firms get more women on board;...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Edelman Trust Barometer 2023

      2023 Edelman Trust Barometer

      The report is the result of the Edelman Trust Institute's research, which sampled more than...

    • Sophos 2023 Threat Report

      Barriers to entry for would-be cybercriminals are lower, with tools and tactics becoming available to...

    • The C-Suite Outlook 2023: On the Edge

      The Conference Board 2023 C-Suite Outlook survey reveals the events that C-suite executives see as...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Cybersecurity is a key corporate governance concern

by Fiona Reynolds

The security of a company’s data is no longer an IT issue but a key concern for corporate governance, writes Fiona Reynolds of the UN Principles for Responsible Investment.

Cybersecurity, cyber-risk, cyber-attack, data privacy

Image: Shutterstock

Cybersecurity risk is real and pervasive as demonstrated by recent attacks that have put the frighteners on big banks, web services providers, the NHS and even the US intelligence community.

Threats can emerge from various sources, both internal and external, resulting in data breaches that can negatively impact share price, reputation and loss of trust in the organisation to secure sensitive data, including intellectual property.

Despite these high-profile incidents, many institutional investors are only just beginning to look at the governance issues concerning cybersecurity.

Thus, cybersecurity becomes a governance issue, if organisations are seen to be abrogating their duty of care when it comes to protecting sensitive data about employees or credit information; or, in the public sector, if information about members of the public relating to healthcare or other private matters is lost.

But despite these high-profile incidents, many institutional investors are only just beginning to look at the governance issues concerning cybersecurity.

Investors are keen to understand how the companies in their portfolios appreciate the material risks regarding data protection; how prepared their portfolio companies are to address these risks; and whether they have appropriate mechanisms in place to deter threats. This can be difficult to assess, however, because of gaps in current corporate disclosure on this topic.

A 2017 study by IT consultant CGI and Oxford Economics concluded that severe breaches caused share prices to fall by an average of 1.8% on a permanent basis. A McKinsey-World Economic Forum study that same year of cybersecurity risk management practices found that: “Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector and resources provided.”

Not just an IT issue

Boards are facing increased scrutiny and liability exposure in relation to cybersecurity and data privacy. Given the increasingly large amounts of data that companies are gathering and storing, there is a greater likelihood that they will be the targets of cyber-attacks or data breaches.

Mark Tims, a partner in the technology risk practice at KMPG, notes: “Board oversight of cybersecurity is no longer a leading practice, it is a necessity. Investors, governments and regulators are increasing demands and challenging boards to demonstrate diligence and leadership.”

Gone are the days when cyber-risk was seen solely as the provenance of the IT department. These days, it is up to boards to take the lead in ensuring the protection of data, and interrogating whether company mechanisms are up to the job.

An additional—and serious—consideration for boards is that the regulatory regime on data privacy and cybersecurity is being strengthened across the world, with fines and penalties for data breaches.

“Investors, governments and regulators are increasing demands and challenging boards to demonstrate diligence and leadership.”

–Mark Tims, partner, KMPG

In Europe, for example, the General Data Protection Regulation came into force in May 2018, creating obligations for companies that process and hold data in the EU regardless of where they are located. Notably, the penalties for not adhering to these requirements can be up to €20m.

Similarly, in Australia, the Australian Privacy Act mandates that companies implement security safeguards to protect personal information and notify customers of data breaches.

Last year, the US Congress introduced the bipartisan Cybersecurity Disclosure Act of 2017-18 (S.536), which would require publicly traded companies to disclose the cybersecurity expertise of any members of the board or general partner and, if the board does not have such expertise, disclose the measures they have taken to identify and nominate future nominees to the board.

This was originally put forward in 2015. However, recent high-profile cybersecurity incidents at both public and private companies has considerably heightened awareness of this issue, especially across the US public sector, who know they themselves could be vulnerable to cyber-attacks.

There are also murmurings that the US Securities and Exchange Commission (SEC) could consider board cybersecurity expertise as a factor when evaluating whether a registered entity has a sufficient cyber-risk management programme in place.

Robust security measures

Investors need to discuss these issues with board directors to raise awareness of potential data compromise and ensure the board is involved in assessing the robustness of security measures. This issue will only continue to intensify in the future, so investors need to start the conversation with companies now to better understand their exposure.

To improve corporate disclosure and enhance understanding of the underlying cyber vulnerabilities, the PRI is coordinating a global collaborative engagement on this topic. Fifty-three institutional investors representing more than US$12trn in assets under management will be engaging with companies on their cybersecurity governance.

Questions raised with companies will enable dialogue on whether there is sufficient board oversight on cyber issues, and whether they have sufficient access to internal or external expertise and are taking adequate measures to manage cybersecurity risks. This collaborative engagement will focus on listed multinational companies in consumer, healthcare, financial, IT and telecommunication sectors.

Boards need to work closely with senior management to escalate the message across the organisation that security is everyone’s problem.

As this dialogue progresses over the next year or so, participating members will have further clarity on how material cybersecurity risk is for companies in their portfolio, how information flows to the board on cybersecurity matters and what is the process of evaluation against peers.

Using these findings, they will also put together a set of investor expectations on cybersecurity governance that companies should be able to meet. Most importantly, through this dialogue they will be signalling to companies that further meaningful information on cybersecurity is warranted, and such information will enable investors to discern which companies are likely to manage risks appropriately.

Board members could start by ensuring that cybersecurity is on the agenda at board meetings. If these issues are delegated to senior management, then the board must have regular updates from those individuals in order to stay current on the topic.

The global cybersecurity market is expected to reach more than US$205bn by 2024, according to a report last year by Grand View Research, Inc., clearly underscoring how quickly this issue has moved up the business agenda. The study noted that cybersecurity is becoming a strategic imperative for organisations owing to increased focus on protecting information in the wake of high-profile data thefts and breaches.

Boards need to work closely with senior management to escalate the message across the organisation that security is everyone’s problem. Keeping data secure is not about buying the latest security software; it is about everyone in the company taking responsibility for keeping data secure, whether it’s deleting emails with attachments from unknown sources to protecting the data on laptops that employees take home with them.

Changing corporate culture is never going to be easy, but getting employees to understand their role in keeping data safe will go a long way to mitigating cyber-risks.

Cyber-risk checklist

Board members can address cyber-risks using the following checklist:

• Understanding the cyber-risks facing the organisation and the material risks they present to the business.

• Regularly speaking with senior managers and the CIO to determine the robustness of existing cybersecurity measures and whether enhancements or upgrades are necessary.

• Assessing the level of readiness to deal with and communicate data breaches.

• Ensuring that vendors in the supply chain are also putting measures in place to withstand data breaches.

• Learning best practices from other organisations in the same industry sector.

Fiona Reynolds is managing director of the UN Principles for Responsible Investment.

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • The 30-year itch: time to ditch the UK Corporate Governance Code
    July 1, 2022
    Man with magnifying glass

    Now that governance has come of age, businesses should be able to innovate within the boundaries of good regulation.

  • US corporate governance improvements 'slowed or stagnated' in 2021
    January 13, 2022
    Employees talking outside offices

    Report suggests crisis "fatigue" is eating away at gains made during 2020, with employee issues and ESG highlighted as concerns.

  • News round-up: this week in governance
    July 15, 2022
    Elon Musk Twitter

    Dutch stakeholder committees; Elon Musk's next move on Twitter; C-suite partisanship in the US; ESG 'no distraction' from climate change.

  • News round-up: this week in governance
    August 5, 2022
    carillion fine

    Audit firms' complaints about fines; Carillion directors' fines revealed; is it time to abolish the UK governance code?

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

corporate governance, cyber-risk, cybersecurity, data privacy, GDPR, leadership, Spring 2018, Technology

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • Investors favour votes against directors over say-on-climate proposals
  • Shell overhauls its board
  • ESG grows in importance as driver of M&As
  • What use is governance in a recession?
  • News round-up: this week in governance
 

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

2022 AGM Season Forecast: An Eye on The Horizon

To help prepare for AGMs in 2022, Equiniti (EQ) hi...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...
Creativity in a Crisis: a Boardroom Map for Innovation

Creativity in a Crisis: a Boardroom Map for Innovation

In the uncertain times at the height of any crisis...
Board Directors Guide to D&O Liability Insurance - November 2020 - AIG & Board Agenda

Board Directors' Guide to D&O Liability Insurance

Directors face liability over a range of new threa...
Leadership-in-Risk-Management-Board-Report

Leadership in Risk Management: Board Report

Board Agenda, in association with Mazars and INSEA...
Director's Guide to Internal Investigations

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...

 


 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|