How should Boards of Directors approach Cyber Threat Issues?
The increasing number of high-profile cyber attacks on listed companies is having a galvanising effect on Boards of Directors.
They are, of course, highly conscious of their fiduciary responsibilities. But it’s also worth noting that institutional investors are actively questioning companies about their management of cyber risk.
In September, for example, the UN-sponsored “Principles for Responsible Investment” (PRI) will devote a whole session of its annual “PRI – In Person” conference in London to a discussion of cyber issues (see www.unpri.org/events/pri-in-person-2015). While Schroders recently published a “tool kit” for investors on the subject (see www.schroderstalkingpoint.com/tp/region/global?id=a0j5000000A53dMAAR).
An issue previously left (at best) to a Board’s audit and risk sub-committee, should now be “front of mind” for every Board Director.
So how can Directors ensure that their senior Executives are managing cyber threats effectively?
Some useful guidance is now available. Last summer the U.S. National Association of Corporate Directors (NACD) published a paper on “Cyber Risk Oversight” in their “Director’s Handbook” series (available at www.NACDonline.org/cyber).
I have to declare an interest here: I was involved in the development of the paper. But it’s fair to say that the NACD booklet – co-authored by the Internet Security Alliance (ISA) and AIG – was immediately and widely welcomed. I was struck, for example, by the numerous favourable mentions it received at the recent RSA Conference in San Francisco, where several sessions focussed on the Board management issue.
The NACD paper sets out five key principles on which Boards need to focus. It’s a great place to start, though cyber threats are moving at such a pace (e.g. with the Internet of Things and the Cloud) that no paper on the subject can ever be “definitive”.
When I spoke at the NACD cyber summit in Washington last month, I was struck by just how much work we have to do to educate Board Directors on cyber threat issues, but equally struck by the reassuring fact that Directors are increasingly keen to learn.
The fundamental lesson is that managing cyber threat – once regarded as a purely technical issue – must now be a central element of a company’s enterprise risk management approach. This means that people from across the company – e.g. Finance, Legal, Facilities, HR and Media Relations as well as security risk managers – all need to be engaged.
This October will see the publication of a detailed free guide “Cyber security – a practical guide for C suite and Boardroom”, sponsored by the New York Stock Exchange and Palo Alto Networks. Early in 2016, the Internet Security Alliance for Europe (ISAFE) and others will launch a UK version.
At last Boards of Directors – and investors – are beginning to get the guidance they need.