Over the past year Templar Executives has been experiencing an increasing number of requests from Non-Executive Directors (NEDs) to support them in developing their own personal understanding of Cyber Security. The common aim is to be able to identify what they should be challenging their Boards on and how the NEDs can ensure assurance in this area. What is clear is that Boards are increasingly being held to account, not only by their NEDs but also by their shareholders, stakeholders, customers and employees.
Industry surveys continue to highlight that leadership and accountability in Cyber Security remains a significant challenge for Boards. There is no real consensus across organisations on how much responsibility Boards should accept for their Cyber Security posture; for example, to be able to understand and assess the implications of Cyber Security intelligence reports to make appropriate business decisions. However, there can be no doubt that the Board is accountable.
"OUR BUSINESS LEADERS NEED TO STOP SAYING THAT CYBER SECURITY IS TOO COMPLICATED AND STOP DEVOLVING RESPONSIBILITY.”
(Ciaran Martin, CEO, UK National Cyber Security Centre, 2017
A recent report highlighted that 40% of Board members said they felt they had no responsibility for the consequences of being hacked. In the 2017 Government-sponsored Cyber Security Breaches Survey, only 29% of UK businesses surveyed had Board members with responsibilities for Cyber Security.
AVERAGE LOSS IN MARKET VALUE FOLLOWING HIGH PROFILE CYBER BREACHES
However, with the increasing media and public spotlight on breaches, the resulting adverse impact on reputation and long-term threat to company value, the responsibility for Cyber maturity and resilience in an organisation must start in the Boardroom. Cyber Security needs to be proactively owned and the risks managed – Cyber Security needs leadership.
This can be an uncomfortable reality for some Boards, where the viewpoint may often be that Cyber Security is an IT issue and not a Board-level responsibility. The paradigm needs to be shifted. It is critical to raise the Board’s own understanding and also to explain information to engender relevance and alignment to the organisation’s unique strategic business objectives. There needs to be a collegiate leadership approach on behalf of, and for, the business; some businesses choose to imbue the responsibility within a single Board member. Education and experience are required on what is the most appropriate application of best practice and how to foster a positive culture, as well as individual accountability, in the Cyber Security arena.
THE INFORMATION COMMISSIONERS OFFICE (ICO) FINED TALKTALK TELECOM GROUP PLC &POUND;100,000 IN AUGUST 2017 AND & &POUND;400,000 IN OCTOBER 2016 FOR, SECURITY FAILINGS, AND IN BOTH INSTANCES, A FAILURE TO LOOK AFTER DATA.
Roles that address Cyber Security need to increase in both presence and prominence at the Board-level. These include the Senior Information Risk Owner (SIRO) or Chief Risk Officer (CRO) as permanent members of the Board; often co-opted or reporting into the Board on a regular basis are the Chief Digital Officer (CDO), Chief Security Officer (CSO) or the Chief Information Security Officer (CISO).
Within the wider landscape, compliance is also becoming increasingly important. New checks and balances are being introduced by nation states and regulators including the General Data Protection Regulation (GDPR), Network and Information Security Directive (NISD) and Markets in Financial Instruments Directive (MiFID II), with the accountability firmly resting with the Board. Organisations need also to consider their wider ecosystem: the stakeholders and supply chain as part of their Cyber Security strategy, to manage risks and ensure a business-enabling, rather than a disabling, environment.
As an example, the commencement of enforcement of GDPR from 25th May 2018 and its international implications (note not just within the EU) has without doubt raised awareness of businesses’ data protection requirements. Non-compliance could now lead to a fine of up to €20 million or 4% of a firm’s annual global turnover; a compelling incentive to implement effective and robust measures to manage proactively and be accountable for Cyber Security.
Managing these risks well will differentiate organisations and leadership in the Cyber era. Customers’, stakeholders’ and shareholders’ confidence may be a business given requirement, but an attack and a succeeding poorly-managed breach can erode this confidence irrevocably.
Boards that embrace this accountability and responsibility will be much better placed in this new digital age, the era of Cyber. A proactive and intelligent approach to identifying and safeguarding business critical information assets, managing risks, enabling a Cyber Security aware workforce, promoting a culture that values information and adopting a holistic approach, encompassing policy, people, processes as well as IT, will be a step in the right direction. Cyber Security needs to be an integral part of ‘business as usual’ in the Boardroom. It is a responsibility that each and every Board member and NED need to ensure is on their agenda, with frank discussions to manage business risks.
For more information on Templar’s tailored Board-Level services, visit: https://www.templarexecs.com/board-level-responsibility/