UK Boards and Cybersecurity: What Can Be Done Differently

It is often said that the most dangerous cybersecurity vulnerability at organisations is human error. As UK directors take responsibility for cybersecurity, they must have the training, advice and planning that they need to do a good job. Yet relatively few UK directors have the training and the advice that are required, and plans for defence are not in place at most companies. Given the exponential rise of cyber attacks in the UK, boards must take steps to get the support they need – in many cases, creating a board-level position dedicated to cyber development is the best move, although few UK companies have taken this step so far.

Directors must take charge of cybersecurity

The recent wave of cyber attacks across Europe has not spared the UK.  The number of cyber attacks targeting UK-based businesses increased by more than half in the second quarter of 2017, according to a report from networking expert beaming. Firms were, on average, subjected to almost 65,000 internet-borne cyber attacks each in the three months to June, an increase of 52 percent on the first quarter of 2017.

Yet relatively few UK businesses are reacting with investment in cyber defence. A survey by FICO and Ovum in May 2017 showed that fewer than half the executives surveyed believe their company will have stronger cybersecurity protection in a year, and just 48 percent say their investment in cybersecurity will rise in the coming year.

As the UK Institute of Directors points out, cybersecurity is now unquestionably a board-level issue, and directors are responsible, both collectively and personally, for defence against breaches. Directors of regulated entities need to be aware that a failure to manage cyber risk adequately could equate to a breach of their personal regulatory obligations. There is increasing pressure for non-executive directors to also be held accountable for any failures to properly challenge management as they deal with cybersecurity issues.

Sectors like financial services and health care have particularly complex requirements for cybersecurity, and boards in these sectors must react: UK Healthcare is now the leading target for cyberattacks in the country, as health records contain the so-called ‘holy trinity’ of personal information — name, NIS number and date of birth — that hackers can exploit.

Whatever the sector, there is a growing feeling in the UK that businesses owe it to other businesses to secure their operations. “Cyber security is a hygiene issue; businesses expect other businesses to get it right, and a failure to do so will be seen as a dereliction of duty,” according to a recent IOD report.

How Boards can get cybersecurity right 

For directors, there is no substitute for training, to get a thorough grasp of the challenge, and then boards should both engage expert advisers and create a board post dedicated to cyber development for an expert. It is essential that directors develop a high-level understanding of the specific cyber risks facing the company, and it is advisable that they retain external consultants to evaluate the company’s security risk management. Only 41 percent of UK firms surveyed by Beaming have a tested data breach response plan, compared with 52 percent in the US.

At least one board committee should take responsibility for cybersecurity issues – this may be the audit committee, the risk committee or another. Ernst & Young points out that most audit committee members are financially savvy, but they may lack a deep knowledge of technological issues, and may be reluctant to discuss information security in the boardroom. They will have to rely heavily on external advice or on technology officers within the company to provide a full-scale perspective on IT risk management.

Communication on the board must be made secure. Boards should move from using paper for communications to using protected electronic communications. Access to different aspects of the board’s work should be limited to those who need to have it. This is where Diligent can help: Diligent board collaboration software addresses security issues for directors’ communications. It offers best-in-class security with ISO 27001 and TRUSTe certification, high-level encryption and code obfuscation to assure the highest level of protection possible.

Ensure that all stakeholders in the organisation have adequate security measures, as well as legally mandated data protection, in place. Contracts with vendors, for example, should require cybersecurity measures. Exchanges of data with suppliers and clients must have the protection now required by law.

A plan must be in place to respond to a cyber attack, and it should be updated regularly. Boards should also inventory where their organisations store data, and what risks are involved with these arrangements. Senior management should become familiar with the legal and contractual requirements to determine what steps they would be required to take if the company were to experience an attack.

Insurance should be obtained for cybersecurity breaches, not just for the organisation, but also for the directors and officers themselves. PwC says much work is still needed by insurers in order to measure and mitigate this risk. In a recent survey, PwC found that less than 15 percent of the insurers and reinsurers it cast the slide rule over said they had the data readily available to assess their exposure to rogue cyber attacks.

Given the increasing chance of directors being held accountable in data breach suits against their companies, it would be prudent for board members to take the steps outlined above.  Given the almost certain likelihood that a breach will hit nearly every company in the UK, directors do not want to bury their heads in the sand.

Featured Blog