Skip to content

7 December, 2023

Advertise About Us
  • My Account
  • Subscribe
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • workers on boards

      ‘Workers on boards’ idea is back on the table

      European-style two-tier board system may help to end stagnation in the UK, reports the Resolution...

    • AI catastrophe Avoiding AI catastrophe is ‘beyond corporate governance’

      It is ‘inevitable’ that the risks from artificial intelligence require public governance, according to a...

    • sustainability Where next for sustainability?

      An expert panel discussed their view of global trends for the business world in Board...

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • AI priorities

      AI priorities for the board

      To reap the benefits of artificial intelligence, boards will need to work on their organisational...

    • purpose statement

      On purpose: crafting an authentic statement

      Purpose statements define how organisations align purpose and people. Here’s how to make a statement...

    • first-time CFO

      How to succeed as a first-time CFO

      The remit and responsibilities of the chief financial officer have changed, which can seem daunting...

  • Comment
      • View all
    • uk corporate governance

      Why UK corporate governance needs tightening up

      The LSE’s response to the government’s panicky U-turn on governance regulation is not helpful to...

    • faith in the UK Audit reform is essential to restore faith in the UK

      When it comes to understanding what attracts investors to a capital market, the London Stock...

    • U-turn on audit reform An uncomfortable U-turn on audit reform

      The government’s bonfire of the regulations expected for audit reform creates a source of uncertainty...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • sustainability Where next for sustainability?

      An expert panel discussed their view of global trends for the business world in Board...

    • reporting elements Boards urged to retain ‘beneficial’ reporting elements

      Although the government cancelled the requirement, resilience disclosures ‘cannot be wasted effort’, says senior auditco...

    • energy transition Collaboration is key to UK energy transition

      Communication, innovation and engagement are needed for the move to net zero, an expert panel...

  • Careers
      • View all
      • Selection
      • Board Moves
    • gender diversity study Academics criticise BlackRock gender diversity research

      Its methodology came under fire, with some critics also pointing out it was wrong to...

    • diversity of thought How to boost diversity of thought

      Companies benefit from diverse workforces, but also from having the input of different opinions and...

    • minority NED Number of minority NEDs drops

      Although there is some progress in diversity in other board roles, research suggests that boards...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Risk Map: Top Risks 2024

      Control Risks' Top Risks for 2024 cut across the geopolitical, security, operational, regulatory, and cyber/digital...

    • A Director’s Guide to Conducting Internal Investigations 2023

      An internal investigation must be handled meticulously to avoid legal exposure, regulatory or criminal prosecution...

    • Spencer Stuart UK Board Index Highlights 2023 cover

      Spencer Stuart UK Board Index Highlights 2023

      The 2023 UK Spencer Stuart Board Index is a review of board composition and governance...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Taking control of cyber risk

by AIG AIG SPONSORED

Cybercrime is an escalating problem that demands constant attention to mitigate against financial and reputational risk. But what should boards do to ensure their organisation is protected?

globe, world, magnifying glass

Image: Shutterstock

When Facebook chairman and CEO Mark Zuckerberg faced the press after hackers stole data from up to 50 million social networking accounts last September, he said “we need to do more to prevent this from happening”.

It’s a typical response, the sort of reaction you get from CEOs when the data horse has already bolted. Unlike the CEO of Equifax, which saw 693,000 UK data records stolen in 2017, Zuckerberg kept his day job.The problem most boards have is that, following a cyber-attack and data breach, there is little more you can say other than “sorry”.

For Facebook and the many other businesses that suffered cyber-attacks in 2018, the real implications are still being felt: lost revenue, lost customers, fines (Facebook was fined £500,000 by the UK’s ICO) and ongoing reputational damage. The average cost of a data breach to a business is around $3.86m. For all businesses—even Facebook—it’s not just a case of “doing more” and expecting this will be sufficient in preventing further attacks.

Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making

If 2018 proved anything, it’s that everyone and everything is a target, hackers are persistent and mistakes happen. This is why the forecast figures are always rising. On a global basis, cybercrime will cost $6trn annually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures. It’s one of many similar forecasts.

The important thing to remember is that it’s not someone else’s problem to solve. As AON revealed in its Global Risk Survey 2018, cybercrime is top of the charts when it comes to ranking risk, so businesses and boardrooms have to take control and minimise that risk where possible.

“There is no such thing as 100% secure,”says Mark Camillo, head of cyber, EMEA at global insurance organisation AIG. Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making. It’s about top-down culture: if the boardroom takes it seriously and acts, the rest of the organisation will take it seriously too. A key part of that is being prepared for all eventualities.

Make a plan

A cybersecurity plan should be as much about cure as prevention. If you accept, in all likelihood, that at some point the business will be breached, the mindset has to be about continuity and recovery. No board wants to see all the hard work of a business be undermined within a few days due to a cyber-attack.

Every business should have a cybersecurity policy. This is essentially a plan for making sure the whole organisation pulls in the same direction when it comes to preventing attacks, but also knowing what to do post-breach. A comprehensive plan for
protecting data, networks and devices will ensure nothing is left to chance.

A cybersecurity policy should cover four main areas—compliance, infrastructure protection, recovery and employees.

  • Compliance Detail what is expected of the business when it comes to managing data and how to adhere to the EU’s data protection rules in GDPR or US rules such as the HIPAA.
  • Infrastructure protection What and who will be protecting the data? Ensure that there is a coherent plan of protection, from a multi-layered software approach (antivirus, firewall, anti-malware and anti-exploit software) to comprehensive insurance cover. Who is in charge of this and how will software updates and patches be applied and data backed up?
  • Recovery Who does what in the event of a breach? What is the action plan to isolating an incident and getting the business back up and running as quickly as possible? Who is going to communicate with regulation bodies, customers, partners and suppliers and deal with an insurance claim?
  • Education The business needs a clear communication strategy to all staff about internet and email usage and best practice. Clear guidelines on what is acceptable usage, how to detect scams, how remote workers should access the network, social media regulations, password management systems and reporting incidents.

Building a plan will focus the minds of the board. Cybersecurity is no longer a specialist field that concerns only the IT department or a chief security officer. A breach can affect the whole organisation and even put it out of business, so cybersecurity awareness training is now essential for everyone within the company. Human error is after all, the biggest culprit. According to Experian’s Managing Insider Risk Through Training and Culture report, 66% of the data protection and privacy training professionals questioned said employees were the weakest link.

The insurance safety net

More than ever, businesses need to protect themselves, physically, virtually and financially, from the threat of cyber-attack. By transferring risk to an insurer, boards can build a robust strategy to deal with threats.

Knowing where to start is often a problem, but risk can be measured. An insurance firm or broker should be able to model a company’s risk and provide feedback in terms of how their current risk level will translate in terms of premiums. This will also have recommendations on how to improve their risk score.

“We are modelling risk, looking at attack probability, claims data, internal security controls and so on to build a picture of a company’s risk,” says Camillo at AIG, adding that this data also builds a benchmark for vertical sectors. “This also helps with modelling risk costs and give companies clearer insight into what they need to do to reduce risk and insurance premiums.”

Interestingly, despite being one of the biggest safety nets for businesses, insurance is underutilised when it comes to cybersecurity. A survey in August last year by digital research firm Ovum found that only 38% of firms had cybersecurity insurance covering all eventualities. The survey also revealed a lack of understanding among companies of the impact a cyber-attack can have across an organisation.

A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business

A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business. “It’s an essential tool in giving more transparency and intelligence back to companies, and an entry point to more comprehensive cover that could also include incident response, forensics and legal and PR support from crisis management experts,” says Camillo at AIG.

A recent PwC report believes this is the future, and it’s already gaining recognition from organisations looking for solutions to the growing threat. PwC estimates that annual gross written premiums for cyber insurance will rise from roughly $2.5bn today to $7.5bn by the end of the decade. “Businesses across all sectors are beginning to recognise the importance of cyber insurance in today’s increasingly complex and high-risk digital landscape,” says the report.

However, the problem for the board is identifying policies that work specifically for cybersecurity and are not just bolted-on, often expensive, extras. As the Ovum study found, 62% of US companies reported they don’t believe their cyber insurer priced their premium based on an accurate analysis of their risk. This has to be an education for both insurer and insured, and demands more extensive risk modelling.

As with all specialist insurance sectors, cyber insurance cannot blanket cover a business and expect to be sufficient. Cover has to be designed to meet the urgent needs of a breach. It has to be 24/7 responsive, help cover investigations and fines, protect a business from the intensive costs of data recovery and reputational mitigation but also lost revenue.

Supplier and customer trust are fundamental to the ongoing success of a business. Few if any businesses can afford to jeopardise that trust. A cybersecurity breach, with potential loss of sensitive data is now one of the biggest, if not the biggest threat to that trust, placing more importance than ever on remediation, insurance and that often under-appreciated notion, peace of mind.

TOP FIVE RECOMMENDATIONS FOR MANAGING CYBER RISK

  • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  • Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular time on board meeting agendas.
  • Board directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  • Board–management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

For more details download the Internet Security Alliance’s Managing Cyber Risk: A Handbook for Boards of Directors.

This article was produced in association with AIG, which is a supporter of Board Agenda.

Related Posts

  • Battle of the boards: risk, ESG and two-tier board structures
    April 22, 2022
    Board risk meeting

    There is an inherent conflict of interest between main and executive boards, with two different time horizons and two different risk impacts.

  • Are cyber disclosure demands too high?
    August 15, 2022
    cyber disclosure

    Organisations increasingly struggle with cybersecurity as they balance fear of reputational damage against cyber disclosure requirements.

  • Paul Manduca takes the wheel as chair of Eurowag
    September 16, 2021
    Paul Manduca, Eurowag

    The former chair of Prudential and Aon UK has joined the board of the commercial road transport services provider.

  • Technology, cyber risk and ESG top list of business leaders' concerns
    June 8, 2022
    Digital code on skycrapers

    Mazars survey reveals 82% of executives plan to increase investment in IT systems, while 75% plan to boost spending on sustainability.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

AIG, board expertise, cybersecurity, data breaches, insurance, risk

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us





Most Popular

  • Sustainability governance is on the rise
  • Why UK corporate governance needs tightening up
  • Proxy adviser warns LSE over governance
  • News round-up: this week in governance
  • How to future-proof your board

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

Leadership ESG

Leadership in ESG Integration: a study into UK board oversight, implementation and disclosure

This research report is based on detailed response...
The Engagement Appeal: The Path to Inclusive Investor Engagement

The Engagement Appeal: The Path to Inclusive Investor Engagement

This is the inaugural white paper from The Engagem...
Mazars c-suite 2023

Mazars C-suite barometer 2023

The Mazars C-suite barometer is based on responses...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...

A Director's Guide to Conducting Internal Investigations 2023

An internal investigation must be handled meticulo...

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|

Copyright © 2023 Questor Media Group Ltd.

  • Terms & Conditions
  • Privacy Policy
  • Sitemap