Skip to content

2 June, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • Succession planning

      News round-up: this week in governance

      UK 'less optimistic' on ESG than European boards; holding stock; ethics codes; governance in Japan;...

    • C-suite barometer Leaders are positive about growth despite economic uncertainty

      Sustainability and technology are strategic priorities for boards in 2023, Mazars’ annual barometer of the...

    • EU CSDDD Pressure builds on EU to amend due diligence rules

      More companies have added their voices to the call to make the EU Corporate Sustainability...

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • Climate finance

      How climate change alters the financial landscape

      To achieve sustainability, companies and boards will need to look not only to their operations,...

    • generative AI

      Five AI issues to consider right now

      We may not know what AI will mean for us all in the long term,...

    • sexual misconduct

      How to prevent sexual misconduct in your organisation

      Revelations about the CBI may be shocking, but there is no place for complacency and...

  • Comment
      • View all
    • hybrid AGM

      Hybrid AGMs maximise shareholder participation

      Avoid virtual-only annual general meetings: although pragmatic in an emergency, they water down shareholders’ rights.

    • ESG break up ESG: Should E and S break up with G?

      In the world of investing, maturity has revealed significant practical shortcomings in combining environmental, social...

    • controlling shareholders The politics and geopolitics of controlling shareholders

      Shareholders with a controlling interest influence not only financial matters but can also wield great...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • information resilience IT transformation sees boards moving to ‘continuous’ management

      Data analytics available on demand requires a resilient—and selective—approach to sharing information, a webinar panel...

    • life sciences podcast Reform of NHS levy ‘harms UK competitiveness’

      Boards in the pharmaceutical and life sciences sector face increasingly difficult decisions, according to a...

    • Board priorities 2023 Board priorities 2023: tact, trust and transparency

      We asked key figures what would help boards this year. The answers ranged from 'smarter...

  • Careers
      • View all
      • Selection
      • Board Moves
    • board survey 2023 Board appointments fell sharply in 2022

      Companies appear to be sticking with experienced leaders—to the detriment of progress—suggests FTSE 350 boardroom...

    • diversity statistics Diversity statistics challenged by new scorecard

      Companies can ‘hit the target, but miss the point’, say academics researching a more ‘holistic’...

    • CEO turnover CEO turnover rises steeply

      The researchers say political changes and business difficulties may have accelerated turnover, which has risen...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Mazars c-suite 2023

      Mazars C-suite barometer 2023

      The Mazars C-suite barometer is based on responses from more than 800 C-suite executives from...

    • CFO Career Survey Report

      Our survey, in December 2022, of almost 200 CFOs across the public, private and non-profit...

    • The Engagement Appeal: The Path to Inclusive Investor Engagement

      The Engagement Appeal: The Path to Inclusive Investor Engagement

      The Path to Inclusive Investor Engagement highlights the need for greater engagement between companies and...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Taking control of cyber risk

by AIG AIG SPONSORED

Cybercrime is an escalating problem that demands constant attention to mitigate against financial and reputational risk. But what should boards do to ensure their organisation is protected?

globe, world, magnifying glass

Image: Shutterstock

When Facebook chairman and CEO Mark Zuckerberg faced the press after hackers stole data from up to 50 million social networking accounts last September, he said “we need to do more to prevent this from happening”.

It’s a typical response, the sort of reaction you get from CEOs when the data horse has already bolted. Unlike the CEO of Equifax, which saw 693,000 UK data records stolen in 2017, Zuckerberg kept his day job.The problem most boards have is that, following a cyber-attack and data breach, there is little more you can say other than “sorry”.

For Facebook and the many other businesses that suffered cyber-attacks in 2018, the real implications are still being felt: lost revenue, lost customers, fines (Facebook was fined £500,000 by the UK’s ICO) and ongoing reputational damage. The average cost of a data breach to a business is around $3.86m. For all businesses—even Facebook—it’s not just a case of “doing more” and expecting this will be sufficient in preventing further attacks.

Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making

If 2018 proved anything, it’s that everyone and everything is a target, hackers are persistent and mistakes happen. This is why the forecast figures are always rising. On a global basis, cybercrime will cost $6trn annually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures. It’s one of many similar forecasts.

The important thing to remember is that it’s not someone else’s problem to solve. As AON revealed in its Global Risk Survey 2018, cybercrime is top of the charts when it comes to ranking risk, so businesses and boardrooms have to take control and minimise that risk where possible.

“There is no such thing as 100% secure,”says Mark Camillo, head of cyber, EMEA at global insurance organisation AIG. Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making. It’s about top-down culture: if the boardroom takes it seriously and acts, the rest of the organisation will take it seriously too. A key part of that is being prepared for all eventualities.

Make a plan

A cybersecurity plan should be as much about cure as prevention. If you accept, in all likelihood, that at some point the business will be breached, the mindset has to be about continuity and recovery. No board wants to see all the hard work of a business be undermined within a few days due to a cyber-attack.

Every business should have a cybersecurity policy. This is essentially a plan for making sure the whole organisation pulls in the same direction when it comes to preventing attacks, but also knowing what to do post-breach. A comprehensive plan for
protecting data, networks and devices will ensure nothing is left to chance.

A cybersecurity policy should cover four main areas—compliance, infrastructure protection, recovery and employees.

  • Compliance Detail what is expected of the business when it comes to managing data and how to adhere to the EU’s data protection rules in GDPR or US rules such as the HIPAA.
  • Infrastructure protection What and who will be protecting the data? Ensure that there is a coherent plan of protection, from a multi-layered software approach (antivirus, firewall, anti-malware and anti-exploit software) to comprehensive insurance cover. Who is in charge of this and how will software updates and patches be applied and data backed up?
  • Recovery Who does what in the event of a breach? What is the action plan to isolating an incident and getting the business back up and running as quickly as possible? Who is going to communicate with regulation bodies, customers, partners and suppliers and deal with an insurance claim?
  • Education The business needs a clear communication strategy to all staff about internet and email usage and best practice. Clear guidelines on what is acceptable usage, how to detect scams, how remote workers should access the network, social media regulations, password management systems and reporting incidents.

Building a plan will focus the minds of the board. Cybersecurity is no longer a specialist field that concerns only the IT department or a chief security officer. A breach can affect the whole organisation and even put it out of business, so cybersecurity awareness training is now essential for everyone within the company. Human error is after all, the biggest culprit. According to Experian’s Managing Insider Risk Through Training and Culture report, 66% of the data protection and privacy training professionals questioned said employees were the weakest link.

The insurance safety net

More than ever, businesses need to protect themselves, physically, virtually and financially, from the threat of cyber-attack. By transferring risk to an insurer, boards can build a robust strategy to deal with threats.

Knowing where to start is often a problem, but risk can be measured. An insurance firm or broker should be able to model a company’s risk and provide feedback in terms of how their current risk level will translate in terms of premiums. This will also have recommendations on how to improve their risk score.

“We are modelling risk, looking at attack probability, claims data, internal security controls and so on to build a picture of a company’s risk,” says Camillo at AIG, adding that this data also builds a benchmark for vertical sectors. “This also helps with modelling risk costs and give companies clearer insight into what they need to do to reduce risk and insurance premiums.”

Interestingly, despite being one of the biggest safety nets for businesses, insurance is underutilised when it comes to cybersecurity. A survey in August last year by digital research firm Ovum found that only 38% of firms had cybersecurity insurance covering all eventualities. The survey also revealed a lack of understanding among companies of the impact a cyber-attack can have across an organisation.

A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business

A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business. “It’s an essential tool in giving more transparency and intelligence back to companies, and an entry point to more comprehensive cover that could also include incident response, forensics and legal and PR support from crisis management experts,” says Camillo at AIG.

A recent PwC report believes this is the future, and it’s already gaining recognition from organisations looking for solutions to the growing threat. PwC estimates that annual gross written premiums for cyber insurance will rise from roughly $2.5bn today to $7.5bn by the end of the decade. “Businesses across all sectors are beginning to recognise the importance of cyber insurance in today’s increasingly complex and high-risk digital landscape,” says the report.

However, the problem for the board is identifying policies that work specifically for cybersecurity and are not just bolted-on, often expensive, extras. As the Ovum study found, 62% of US companies reported they don’t believe their cyber insurer priced their premium based on an accurate analysis of their risk. This has to be an education for both insurer and insured, and demands more extensive risk modelling.

As with all specialist insurance sectors, cyber insurance cannot blanket cover a business and expect to be sufficient. Cover has to be designed to meet the urgent needs of a breach. It has to be 24/7 responsive, help cover investigations and fines, protect a business from the intensive costs of data recovery and reputational mitigation but also lost revenue.

Supplier and customer trust are fundamental to the ongoing success of a business. Few if any businesses can afford to jeopardise that trust. A cybersecurity breach, with potential loss of sensitive data is now one of the biggest, if not the biggest threat to that trust, placing more importance than ever on remediation, insurance and that often under-appreciated notion, peace of mind.

TOP FIVE RECOMMENDATIONS FOR MANAGING CYBER RISK

  • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  • Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular time on board meeting agendas.
  • Board directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  • Board–management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

For more details download the Internet Security Alliance’s Managing Cyber Risk: A Handbook for Boards of Directors.

This article was produced in association with AIG, which is a supporter of Board Agenda.

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • Battle of the boards: risk, ESG and two-tier board structures
    April 22, 2022
    Board risk meeting

    There is an inherent conflict of interest between main and executive boards, with two different time horizons and two different risk impacts.

  • Are cyber disclosure demands too high?
    August 15, 2022
    cyber disclosure

    Organisations increasingly struggle with cybersecurity as they balance fear of reputational damage against cyber disclosure requirements.

  • Paul Manduca takes the wheel as chair of Eurowag
    September 16, 2021
    Paul Manduca, Eurowag

    The former chair of Prudential and Aon UK has joined the board of the commercial road transport services provider.

  • Technology, cyber risk and ESG top list of business leaders' concerns
    June 8, 2022
    Digital code on skycrapers

    Mazars survey reveals 82% of executives plan to increase investment in IT systems, while 75% plan to boost spending on sustainability.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

AIG, board expertise, cybersecurity, data breaches, insurance, risk

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • Corporate governance code review boosts internal controls
  • ESG: Should E and S break up with G?
  • News round-up: this week in governance
  • Pressure builds on EU to amend due diligence rules
  • Five AI issues to consider right now

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

The Engagement Appeal: The Path to Inclusive Investor Engagement

The Engagement Appeal: The Path to Inclusive Investor Engagement

This is the inaugural white paper from The Engagem...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...
Director's Guide to Internal Investigations

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...
 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|