Skip to content

24 March, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • ChatGPT technology

      Could ChatGPT technology join the board?

      Although governance may stop artificial intelligence replacing anyone on the board today, AI may soon...

    • ethical decision-making Call for FTSE 100 companies to give guidance on ethics

      Most top firms have a published code of ethics, but many lack the framework to...

    • BlackRock Larry Fink Larry Fink puts focus on finance and inflation

      Although BlackRock’s CEO does not mention the term ‘ESG’ in his annual letter, he highlights...

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • data decision

      How to boost decision making

      Innovative digital tools can help boards to deliver against strategic objectives, but it is the...

    • remote working

      Navigating the new world of work

      Firms need to focus on building an inclusive environment and a culture of trust to...

    • digital transformation

      Digital transformation: Get the basics right

      Board involvement at the get-go will boost the chances of a successful digital transformation for...

  • Comment
      • View all
    • uncertainty in 2023

      Being a CEO in 2023: how to navigate uncertainty

      Agility, planning in the shorter term and bravery will all stand chief executives in good...

    • A week of business moving to the centre of human rights

      A week of events signals the initiatives underway to have companies play a central role...

    • audit reform IIA Why we need audit reform right now

      There is an "urgent need" for reform to the audit landscape as well as internal...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • life sciences podcast Reform of NHS levy ‘harms UK competitiveness’

      Boards in the pharmaceutical and life sciences sector face increasingly difficult decisions, according to a...

    • Board priorities 2023 Board priorities 2023: tact, trust and transparency

      We asked key figures what would help boards this year. The answers ranged from 'smarter...

    • Group of investors/shareholders in glass building Climate issues likely to figure prominently at next year’s AGMs

      A recent webinar heard that say-on-climate voting is expected to rise, while ESG remains a...

  • Careers
      • View all
      • Selection
      • Board Moves
    • female ceo Less than a third of FTSE 100 executives are women

      In Europe as a whole, only 7.7% of top companies’ chief executives are female, gender...

    • board size Performance declines as boards grow in size

      Researchers found that investment dropped by 2-3 percentage points as companies passed from 12 to...

    • Silicon Valley governance Silicon Valley improves its governance

      Big technology companies are stealing a march over other top corporates when it comes to...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Diligent report

      Forrester: The Total Economic Impact Of Diligent Board & Leadership Collaboration

      Diligent Board Leadership & Collaboration reduced the risk of confidential material loss, supported decision-making, and...

    • Gender diversity barometer

      Barometer of Gender Diversity in Governing Bodies in Europe

      The 2023 Barometer of Gender Diversity in Governing Bodies in Europe looks at the 16...

    • geopolitical risk airmic

      Navigating geopolitical risk

      Today, the future feels less secure, and optimism is more restrained. Taking decisions in an...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Cybersecurity: how to close the knowledge gap

by Ruth Sullivan

The issue of cybersecurity has moved to the top of the boardroom agenda. But are boards doing the right things to stay one step ahead of criminals?

cybersecurity

Photo: Shutterstock

As cybersecurity becomes a mainstream business risk, boards are coming under increasing pressure from customers, regulators, investors and the government to understand and oversee potential breaches effectively. Concern grows as the frequency and sophistication of high-profile cyber-attacks rise across industries.

In September, British Airways revealed that hackers had stolen the personal and financial data of 380,000 customers from its mobile app and website a few weeks earlier. Faced with customer anger, the airline had to promise to compensate passengers whose information had been stolen.

Tech giants have also been at fault over failure to protect user data. Google+ shut down its social media network in October, following its non-disclosure of a user data leak. At the end of September, Facebook revealed that hackers had accessed the data of 50 million users’ accounts, including those of its CEO Mark Zuckerberg and COO Sheryl Sandberg. The social network group is still under scrutiny after an earlier data protection leak, where research firm Cambridge Analytica obtained the data of 87 million Facebook users.

Failure to protect personal information and to be transparent about how the data is harvested by others shocked social media users, sent Facebook’s share price plummeting and incurred a £500,000 fine from the UK watchdog.

Companies also face cybercrime attacks from hostile states. In June 2017, Reckitt Benckiser, Moller-Maersk and FedEx suffered a NotPetya ransomware attack, which disrupted their operations and cost each company millions of dollars. Russia has been accused of the attack. A month earlier WannaCry ransomware, perpetrated by North Korea, disabled the operations of thousands of companies in about 150 countries, and also UK hospitals.

Corporate leaders need to “understand cyber-risk in the same way they understand financial risk or health and safety risk”

—Ciaran Martin, NCSC

At a September CBI cybersecurity conference, Ciaran Martin, CEO of the National Cyber Security Centre (NCSC), stressed the urgency of cyber-threats and called on boards to become more cyber-literate to make company defences stronger.

“This means closing the knowledge gap between the board and the technical team … so that the people on the board and the people in IT can talk about the risks and people on the board can ask challenging questions of their teams.”

Corporate leaders need to “understand cyber-risk in the same way they understand financial risk or health and safety risk,” he added.

Board oversight

The shift of responsibility for cybersecurity oversight to boards is becoming increasingly clear. At the same conference, Matthew Fell, chief UK policy director of the CBI, said that as cyber-threats pose one of the biggest risks to a company’s finances and reputation, companies needed to recognise that digital security was no longer the sole responsibility of the IT team.

Given the barrage of cyber-attacks and the ensuing impact of disrupted business operations, financial, legal and regulatory risks, a thorough approach to putting in place robust protection and tackling breaches efficiently is vital. But just what is the state of boardroom oversight on cybersecurity?

Despite the urgency and gravity of threats, board management of cyber-risks remains patchy and is not always at the top of the agenda.

The UK government’s FTSE 350 report, Cyber Governance Health Check 2017, showed that just 54% of boards view cybersecurity as a top risk compared with other risks. More than two-thirds (68%) had no training to deal with a cyber-incident, while 57% claimed a clear understanding of potential impacts of a loss or disruption of data. The statistics are sobering.

cybersecurity
Source: FTSE 350 Cybersecurity Health Check Report 2017

 

Investors are also looking to boards for oversight. “Investors increasingly expect cybersecurity issues to fall within the remit of company boards and their sub-committees, given the potential physical and economic implications of a cybersecurity incident on business operations,” says Fiona Reynolds, CEO of the Principles for Responsible Investment (PRI), whose global signatories represent $80trn of assets under management.

So, what do boards need to do to be in control?

There is no shortage of guidance from institutions and governments on how to tackle the problem. The NCSC has published advice to help boards better understand and prepare themselves to deal with cybersecurity issues. The Bank of England, the Financial Conduct Authority and TheCityUK also provide guidelines on how boards of financial companies can tighten cybersecurity resilience.

Cybersecurity experts advise boards to make sure that clear policies and procedures are in place to tackle cybercrime and protect personal data. A good starting point is to ensure that all members have a clear understanding of the basics of cybersecurity and how the company can be affected by different types of cyber-attacks. Management and the chief IT officer need to explain clearly to the board, in non-technical language, the protection systems in place and vulnerability levels.

Gaining the right information is a two-way exercise and directors, particularly non-executives, who are not involved in the day-to-day running of the business, must ask tough questions to get a clear picture.

“It is the board’s job to ask the right questions and get the right answers from management about the company’s cybersecurity position,” says Peter Swabey, head of policy and research at ICSA: the Governance Institute.

Directors are often deterred from asking questions by IT specialists who say it is too complicated to explain, but boards must push back to get clear, up-to-date information

Questions from the board should include how the company will withstand a range of cyber-attacks, existing cyberprotection measures, identifying weak spots, and asking what is being done to mitigate risks. Quality, comprehensive information is needed for the board to assess the situation.

Directors are often deterred from asking questions by IT specialists who say it is too complicated to explain, but boards must push back to get clear, up-to-date information. This may seem obvious, yet less than a third of boards surveyed in the FTSE 350 Cyber Governance report said they received comprehensive information.

Systems and procedures

What systems and procedures should be in place, then? Savvy boards will insist that “management clearly explain the cybersecurity system in place, what it does and why it is a better system than others,” says Swabey. This step is essential for executive and non-executive members to review and evaluate management approaches to cybersecurity strategy, policy and procedure.

Making sure that management tests the systems and procedures through regular crisis runs is another important task for boards. If there is doubt about effectiveness, then external expertise should be brought in. It is up to senior management to convince the board that the protection measures and response plan are sufficiently resilient. It is also essential for the board’s overview to receive internal audit reports on the state of cybersecurity.

“The ultimate decisions on whether the cybersecurity framework, policy and procedure are robust enough lies with the board,” says Swabey. As part of its oversight role, the board must also decide whether the level of risk is in line with the risk appetite of the business.

Many boards, particularly those of larger companies, appoint a non-executive director with cybersecurity experience or technology skills. This can be helpful for members, including the chair, to gain a better understanding and oversight of the risks involved. The trend is changing the traditional mix of board recruitment and pushes search executives to broaden their talent pool to draw in suitable candidates.

As the cybersecurity threat rises, there is some evidence that boards are spending more money on resources and infrastructure in order to boost awareness and defences. According to the summer Boardroom Bellwether survey, by ICSA and the Financial Times, 88% of FTSE 350 companies said their boards were increasing spending to mitigate cyber-risk.

New data protection rules, the General Data Protection Regulation (GDPR), which came into force in May, are reforming the way companies collect, use and store personal data. The aim is to make sure companies are protecting the personal data of EU citizens by managing security risk and minimising the impact of breaches when they occur.

The GDPR provides clear guidelines for companies that are breached, and boards must have a clear post-breach plan of action in place. Reporting the breach to regulators and stakeholders within 72 hours of discovery is essential, as failure to do this can result in big fines.

The task of overseeing good, timely communication on the state of cybersecurity also falls to the board and includes ensuring good standards of corporate reporting. Poor disclosure on cybersecurity in corporate reporting often prevents investors from assessing a company’s vulnerability to breaches.

“Lack of disclosure makes it difficult for investors to differentiate between those companies that are proactively developing, monitoring and managing cyber-risks versus those failing to prioritise these risks”

—Fiona Reynolds, PRI

Recent research carried out by the PRI, which studied 100 global companies on aspects of cybersecurity management, showed that nearly 60% did not indicate that their board or its sub-committees were responsible for cybersecurity-related issues. Almost two-thirds of companies provided little or no information about the frequency and channels of communication to the board.

“Although companies are increasingly recognising cyber-risks and their impacts, corporate information in the public domain does not reassure investors that companies have adequate governance structures and measures in place to deal with cybersecurity challenges,” says Reynolds.

This is a problem because “the lack of disclosure makes it difficult for investors to differentiate between those companies that are proactively developing, monitoring and managing cyber-risks versus those failing to prioritise these risks,” she adds. Reynolds’ comments come as the PRI steps up its engagement on cybersecurity with boards and management.

Keeping up

The route to becoming a board with good cybersecurity oversight is not without difficulties. One obstacle hindering progress is the “it won’t happen to us” mentality, which can result in members brushing the problem aside. The danger of groupthink on the issue can lead to cybersecurity not being at the top of the board agenda or, in some cases, not on it at all.

Keeping up with the speed of fast-changing cyber-attacks is also difficult as cyber-criminals continue to invent new attack methods. Many boards have already increased the amount of time they spend in the boardroom and find it difficult to chase management and the CIO for regular cyber-updates.

Investment costs in resources—from infrastructure to expertise and compliance with new regulation—can also be heavy, particularly for small companies. However, boards are beginning to realise that the steep cost of data losses and the ensuing damage to operations and reputation is even bigger.

Effective board oversight of cybersecurity is still a work in progress, with “some doing more than others,” says Swabey. The task is enormous but signs of directors attempting to safeguard information assets are emerging.

“You can’t manage risk you don’t understand. So we need to demystify the topic”

—Ciaran Martin, NCSC

“Business boards are stepping up to the challenge of improving their cyber-literacy but firms recognise more progress is needed,” says the CBI’s Matthew Fell. It is, at least, a step in the direction of strengthening cyber-defences, according to the NCSC’s Ciaran Martin, who had this to say in his speech to the CBI in September last year:

“There are three misconceptions we often come across. The first: that ‘cyber is too complex so I won’t understand it’. The second: that ‘cyber is sophisticated so I can’t do anything to stop it’. And the third: that ‘cyber is targeted so I’m not at risk’. None of these are really true and these misconceptions are damaging. You can’t manage risk you don’t understand. So we need to demystify the topic.

“At board level, this means closing the knowledge gap between the board and the technical team. That’s why it means board members becoming a little bit technical. So that the people on the board and the people in IT can talk about the risks, and people on the board can ask challenging questions of their teams. You don’t need to know everything. Just enough to make your own defences stronger.

“No-one in government is asking you to be able to take on the best hostile nation state on a good day on your own. No-one in government is asking you to make cybersecurity your top priority. Your core business is your top priority. We do expect you, however, to be good enough at cybersecurity to take care of the things you care about. And that means you have to understand what they are, and what you can do to protect yourselves.”

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • Boards 'lack the right knowledge' to set effective climate policies
    December 15, 2021
    Businessman with ESG and climate items

    Research reveals disconnect between what boards say about the significance of climate change and their actual policies.

  • Companies must put equality at the heart of the race to zero
    November 10, 2021
    Trees reflected in buildings

    Singular pursuit of net-zero by 2050 could exacerbate inequality and derail our chances of a climate-resilient future.

  • Selecting a direction: the six paths to leadership
    April 11, 2022
    Executives following different leadership paths

    The distinct paths taken by executives when assuming leadership roles will influence their perspectives and strategies for success.

  • Why the right sponsors are crucial to women's leadership progress
    February 3, 2022
    Women in discussion at business meeting

    Women need sponsors who will help them to access the mission-critical assignments that lead to top executive roles.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

board expertise, cyber-risk, cybersecurity, Ruth Sullivan, Spring 2019, Technology

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • ESG resilience requires leaders to manage without certainty
  • Into the mind of white-collar criminals
  • News round-up: this week in governance
  • Top stories of 2022: corporate governance gets political
  • Larry Fink puts focus on finance and inflation

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

2022 AGM Season Forecast: An Eye on The Horizon

To help prepare for AGMs in 2022, Equiniti (EQ) hi...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...
Creativity in a Crisis: a Boardroom Map for Innovation

Creativity in a Crisis: a Boardroom Map for Innovation

In the uncertain times at the height of any crisis...
Board Directors Guide to D&O Liability Insurance - November 2020 - AIG & Board Agenda

Board Directors' Guide to D&O Liability Insurance

Directors face liability over a range of new threa...
Leadership-in-Risk-Management-Board-Report

Leadership in Risk Management: Board Report

Board Agenda, in association with Mazars and INSEA...
Director's Guide to Internal Investigations

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...

 


 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|