BOARDROOM BEST PRACTICES

Why Should You Have a Cybersecurity Expert sitting on your Board of Directors?

A majority of UK boardrooms admit that they require greater expertise to secure their companies against cyber risk. The stakes are high: On average, the UK companies that participated in the survey hold £52.4 million of sensitive information each, including Intellectual Property or other commercially valuable data. Among financial services (banking) firms, this figure rises to £64.8 million. UK business leaders estimate significant ‘hard’ cost impacts of up to £2 million associated with the loss or corruption of their most valuable data in any given year. Naming a cybersecurity expert as a board of director is one action most boards are expected to take, but others will call in external expertise, or create specific committees for cybersecurity. Only 5 per cent of UK FTSE 100 firms have a cybersecurity expert on board.

Board of directors collaboration and cybersecurity

Only 5 per cent of UK FTSE 100 firms have a cybersecurity expert on board. According to a study by Deloitte, only 5 per cent of UK companies have named a cybersecurity expert as director. This is in spite of the fact that 87 per cent of FTSE 100 companies have identified cyber threats as a principal risk.And just 11 per cent of annual reports from these companies indicate that responsibility for cybersecurity has been taken over by a new person or committee.

Phill Everson, head of cyber risk services at Deloitte UK, described the lack of resources within FTSE 100 companies for dealing with cyber threats as ‘alarming’.“It is alarming that only one in 20 boards disclose that they currently have board members with specialist technology or cyber background and only a handful more disclose that they have advisors to the board with this experience,” he said. Yet, another survey shows that UK boards understand the need for a cybersecurity expert, either in the boardroom, advising the board or for board collaboration, given the high stakes at play.

In financial terms alone, the stakes are high. On average, the UK companies that participated in the survey hold £52.4 million of sensitive information each, including Intellectual Property or other commercially valuable data. Among financial services (banking) firms, this figure rises to £64.8 million. UK business leaders estimate significant ‘hard’ cost impacts of up to £2 million associated with the loss or corruption of their most valuable data in any given year. If the cost of cyber breaches trend continues to rise at its current rate (the cost of cyber attack for large UK firms was 13 times higher in 2016 than in 2012), these cost impacts are likely to ramp-up substantially.

Brand damage is identified as the number one impact by leaders in every sector, apart from telecoms. Here, and possibly with memories of TalkTalk fresh in telecoms executives’ minds, the chief impact is seen as damage to the share price or financial performance. A significant proportion (41 per cent) of retail executives identify operational disruption as a concern, perhaps reflecting the degree to which cybersecurity-related problems can threaten trust, impair the customer experience and disrupt e-commerce.

See how you can improve your cybersecurity practices within the boardroom with this free white paper download.

Should you appoint a cybersecurity expert as a board of director?

According to the London-based corporate governance consultancy Spencer Stuart, a growing number of companies plan to recruit a director who brings technology expertise to the board. “To address escalating cybersecurity risk, some boards have brought in a director who comes from a security background. Typically, these companies are at high risk for cyber-attacks and in industries like financial services and healthcare or conduct significant business online. The cybersecurity board member can help the management team make difficult risk management decisions as well as increase the general level of cybersecurity knowledge and awareness on the board. The level of IT savvy a company adds to its board depends on the business. Companies must balance many factors — including the need for industry expertise, financial knowledge and sophistication, global experience and diversity — in filling board vacancies. Whether or not a board adds a cybersecurity expert, boards need to ensure that they have adequate access to cybersecurity expertise. Many CISOs provide their boards with regular training on cybersecurity topics, or outside experts can be brought in for board education. However, the board should not isolate cybersecurity responsibility with just this one board member, but continue to view cybersecurity as a full board priority – legal responsibility for cybersecurity falls on board members individually and collectively in the UK, with potential criminal liability for individual directors who fail to take the necessary actions to secure the company against threats.

UK Boardrooms must organise and supervise cybersecurity

“However, from the point of view of efficient organisations, delegating cyber risk initially to an expert board member, to a committee (the risk or audit committee, for example) or to a separate committee set up for that purpose, can help boards facilitate deeper discussions that should be taking place, but aren’t possible due to competing agenda items in full board meetings,” commented Steven West, audit chair for Cisco Systems and Autodesk director. Regardless of how boards structure themselves around this matter, directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget to oversee cybersecurity risks.

Boards need to ensure that they are adequately briefed about the company’s security model and vulnerabilities. Briefings should occur on at least a quarterly basis, and if the management of cyber risk is allocated to a committee, the full board should also be briefed at least semi-annually. Regular briefings are critical, with management demonstrating progress on its security strategy and keeping the board apprised of challenges and changing priorities.

 Learn how Diligent Boards can keep directors engaged and communications secure. Book a demo to find out more.

Diligent board meeting software provides a secure environment for board collaboration

The Diligent board portal provides cyber protection that understands how boards work. From a governance standpoint, a secure board portal relies on the right people (and only the right people) accessing the right information at the right times, with no exceptions. Among customers and users, permissions to access data must be fine-tuned to a user and a document level. Safeguards must prevent unauthorised sharing.

Diligent’s modern governance solution are guided by global governance experience. A world of governance and IT knowledge informs the security behind our Governance Cloud ecosystem, which includes Diligent Boards, Diligent Messenger, Diligent Evaluations and Diligent Conflict of Interest. Data is hosted on secure servers and a world-class infrastructure that Diligent owns and operates. As part of Governance Cloud, all Diligent solutions are ISO and TRUSTe-certified and internationally audited, with robust customisable encryption and data access. If a device is lost or compromised, our remote wiping capabilities allow you to mitigate risk swiftly.

Featured Blog