The Board of Directors and Cybersecurity

Board of Directors: Threats, Challenges and Opportunities in Cybersecurity

Cybersecurity is now the responsibility of the board of directors, and boards should acquire the skills needed to protect the organisation from cybersecurity threats. But the challenge to take on the cybersecurity threat also offers opportunities in setting metrics and determining goals. Diligent’s board management software provides security at the highest level, but also enables boards to learn cybersecurity skills and to take advantage of these opportunities.

UK Boards Should Have Robust Cybersecurity Teams

The average cost of a data breach in the United Kingdom in 2018 was about £3.08 million (US$4 million), according to the Ponemon Institute. That’s a potent cybersecurity threat for a board of directors to confront, and explains why UK investor groups are monitoring boards for technology skills these days.

Companies should have robust cybersecurity teams, and they should report to a board-level executive with technology skills, warns Ovidiu Patrascu, research analyst at UK investment bank Schroders. “As seen in a number of recent high-profile public failures, data breaches often uncover poor governance practices and weak management at the heart of companies, while also hitting their revenues and intangible assets such as reputation and trust. Cyber risk should also not just be the preserve of tech specialists — company boards also need to ensure they understand and can effectively oversee these very particular risks,” Patrescu adds.

Institutional investors want boards to implement policies on governance, internal controls and how they are managing cybersecurity risk, and they want details of these operations communicated to stakeholders: What risks do they face? Are the correct internal controls in place?” explains Rupert Krefting, head of Stewardship at M&G Prudential.

Cybersecurity Challenges For Boards

Perhaps the greatest challenge for boards in confronting the threats of cybersecurity is to get up to speed with how threats work and what companies ought to do about them.

“Cyber risk is a big issue,” he says. “IT skills on boards can be really important [in order] to challenge what a head of IT is doing at the inside. Boards need to be on top of it,” says Leon Kamhi, head of responsibility at Hermes Investment Management, in a report.

“A board should not just be aware of the company’s cyber strategy, but should also be monitoring how it is working, frequently testing it, spotting any weak points and challenging executives on where it needs to change. Moreover, boards should also be evaluating how well a company responds when there is a breach.”

“Because of the technological advancements and disruptions that have taken place over the past decade, companies need executives who are responsible for the day-to-day ccybersecurityat the highest level and who actively work with key business heads,” Kamhi says.

Opportunities For Companies In Cybersecurity Risk Management

Certainly, managing cybersecurity risk is a considerable expense, but it also opens up a considerable number of competitive opportunities for UK boards.

“The use of security metrics to measure success and inform investment decisions offers an opportunity to UK companies. Though just one in five organisations makes heavy use of metrics within their security function, a full 50 percent of firms surveyed are moderate users of such measurements. The use of metrics in the cybersecurity realm provides an excellent opportunity to bring together many parts of the business. From the board level through layers of management down to the people executing security activities, all have a vested interest in setting the proper metrics and reviewing progress against goals,” reports the IT trade organisation CompTIA in a recent report.

In fact, boards of directors and management should work together to integrate cybersecurity measures into broader business strategies, the CompTIA report says.

In addition to securing the valuable data organisations already maintain, evaluating cybersecurity risks should be an essential step when considering new products, services or operations. When assessing opportunities, board members and executives must lead the discussion about identifying cybersecurity risks and ultimately decide whether those risks are worth taking on, says McKinsey in a recent article.

As cybersecurity issues affect so many other threats a company faces, including operational, financial and legal risks, the board should take the opportunity to view cybersecurity as part of its larger responsibility to manage organisational risk, CompTIA continues. Cybersecurity should be assessed in the context of a company’s strategic plan, in which risks are balanced alongside growth opportunities. To do so requires collaboration between senior leadership and cybersecurity professionals, who can best determine the proper risk management steps.

Diligent makes sure you are ready for all threats

Diligent, as the long-standing market leader for high-level corporate communications, is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.

All members of Diligent’s Security Team are active participants in the information security community in order to maintain up-to-date knowledge and expertise. This means that they are aware of nearly anything that hackers have available, ready to thwart all of the most sophisticated attack techniques.

Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Diligent Boards™ data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent board management software is not hosted by any third-party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centres is limited to authorised personnel only and is verified by two-factor authentication.

Data is encrypted at rest, in transit and on the user’s devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the Boards apps. Customer Data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.

Diligent has a documented Security Incident Response Program in place to handle security incidents. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. In the event of a security breach, Diligent will promptly notify customers of any unauthorised access to their data.