UK Cybersecurity Concerns for Directors

UK Boards have a clear legal obligation to manage cyber risk, but there is a lack of engagement at the board level, as well as a lack of preparation, at the majority of the country’s companies. EU legislation, which will soon come into force in the UK – despite BREXIT – will increase the legal obligation for directors to take action or risk liability.

Overview of UK Cybersecurity Regulation

The UK Government published its first UK Cyber Security Strategy paper in November 2011.

Five years later, in November 2016, the National Cyber Security Strategy 2016 was published, listing three key objectives: 1) To have the means to defend the UK against evolving cyber threats; to respond effectively to incidents; to ensure UK networks, data, and systems are protected and resilient; 2) To understand, investigate, and disrupt hostile action taken against us, pursuing and prosecuting offenders, and to take offensive action in cyberspace, should the government choose to do so; and 3) Thave an innovative, growing cybersecurity industry, underpinned by world-leading scientific research and development.

The government has dedicated close to £2 billion to the five-year strategic plan.

As part of the national cybersecurity strategy, on December 21, 2016, the UK Government published “the Cyber Security Regulation and Incentives Review.” It follows an extensive consultation with management in the private sector.

The key points are: assurance of business’s protection of personal data, within the framework of the EU’s General Data Protection Regulation (GDPR, Regulation EU 2016/679), which will remain in force after BREXIT. Similarly, the Directive on the Security of Network and Information Systems (EU 2016/1148), intended to ensure a high common level of network and information security across the European Union, will remain in force.

But the current plan does not include implementing any additional regulation beyond the data protection requirements set out in the GDPR and the directive. The government has simply stated in the strategy paper that “all businesses have a responsibility to consider their own cyber security and act in their business interests to protect themselves from cyber-attack.” 

Board members should, however, be aware that they will become liable for failure to notify the Information Commissioner’s Office of data breaches, or for mishandling of data security leading to breaches at their companies, once GDPR becomes law on  May 25, 2018.

Lack of Engagement by UK Directors for Cybersecurity

The UK Institute of Directors recently polled its members about cybersecurity issues. The results were shocking: Close to 50 percent of all directors surveyed said their companies had no formal cybersecurity strategy. Half of the board members surveyed did not know where their companies stored data.

Ciaran Martin, the head of the agency’s National Cyber Security Centre (NCSC), said that it is unacceptable for boards to plead ignorance about the threat from cyberattacks. The May 25, 2017, remarks came in the wake of the nationwide ransomware attack that brought operations at public and private organizations to a standstill.

“Boards must start to treat cyber threats with the same level of critical importance as they do financial or legal issues,” Martin added.

The challenge for UK directors is that they see cybersecurity as a function of risk management, and so leave it to managers to make policy.  As a recent report noted, “they are out of touch with the importance of cyber security as businesses digitally transform their operations and engage with stakeholders increasingly through digital channels. Most companies are still struggling to join up IT and information risks with a wider understanding and management of business risks. This therefore increases the challenge of good decision making about cyber security and undermines meaningful board accountability.”

Corporate governance experts say that UK boards have to stop thinking of cybersecurity as an IT issue; it is a matter of corporate governance and industry reputation. Leadership must therefore start at the top, with cyber expertise in the boardroom, so the right actions are embedded in strategy and best practice percolates down to each and every employee.

“For a board, the subject should be as routine as audit,” the Irish Institute of Directors (IIOD) report said.

UK Boards Lack Skill Set

It is just as disturbing to find that only a handful of FTSE 100 companies have board members with specialist technology or cybersecurity experience, according to a study by Deloitte in February 2017.

Just one in 20 boards (5 percent) appear to have any cybersecurity experience among their members, according to Deloitte, which analyzed the annual returns of the FTSE 100 companies and the biographies of their board members.

Only 10 percent of board members receive any training in information technology risk management or cybersecurity, and only slightly more provide advisors to the boards on this subject. Nonetheless, these board members must oversee the internal control system responsible for managing cyber risk. Only 11 percent of these companies have created a new position or organizational entity responsible for cyber risk.

The survey showed that boards of directors made reference to issues like data security or threats, but then did not take any action to deal with them. For instance, more than half of companies mentioned cyber-contingency, crisis management or disaster recovery plans in their annual report, but only 58 percent disclosed that these plans had been simulated in test scenarios over the year.

Board members are encouraged to make more and better disclosure of cyber risks in the annual report, as the threat of loss of value is of significant concern to shareholders. Detailed disclosure is worthwhile to highlight the risks to shareholders and let them know that board members are aware of these risks and are making efforts to manage them.  The better disclosures are company-specific, year-specific and provide sufficient detail to give meaningful information to investors and other stakeholders, according to Deloitte.

UK independent directors were the least aware and had the smallest amount of training compared with other groups of executives for cybersecurity. Their knowledge of the implications of a cybersecurity breach (such as reputational damage) also trailed that of other groups of executives.

Another area of weakness in UK boardroom preparation for cyber risk is that of mergers and acquisitions. Bringing together two major British companies heightens risk and multiplies vulnerabilities, according to Justin Coker, Vice President – EMEA at consultant Skybox Security.

When UK banks Lloyds TSB and HBOS merged in 2008, the largest recent merger in UK corporate history, teams needed to understand three networks at once. Initially, the teams on both sides of the merger had to understand their own individual networks as separate entities to plan how they could fit together. These networks spanned 2,000 branches, 75,000 full time staff and millions of customers. Then, the challenge was to understand the third network; the one that would emerge from the combined networks which in the end comprised approximately 200,000 endpoints and would have its own vulnerabilities which may not have been present in the two separate networks.”

With M&A activity on the rise in the UK, there is surprisingly little planning at the directors’ level to manage this kind of risk after prospective alliances are announced.

The need to comply with the two European Union laws coming into effect shortly will, however, put pressure on boards to improve risk management for cybersecurity.

Featured Blog