Faster, higher, stronger… those tenets so evident in the Olympic Games might equally describe the drive for digital transformation as businesses strive to adopt technologies that will unlock better commercial performance, more efficient operations and quicker time to market. However, there is an essential fourth tenet for governance, risk and compliance (GRC) professionals: “safer”. Because there is no doubt that, as businesses restructure around digital processes and partner with numerous third-party organisations to build complex digital ecosystems, the role of cyber security is critical.
Digital Transformation and Cybersecurity Are Inextricably Bound
As businesses seek to grow more flexible and scalable by migrating core systems to the cloud and supporting the rapidly evolving “work from anywhere” culture, their digital footprint grows exponentially. The attack surface has expanded with more endpoints than ever before and employees accessing confidential customer and corporate data via home and public networks. This has created an enormous opportunity for cybercriminals to capitalise, and they haven’t been slow to respond. Furthermore, the cost of a cyberattack can be around €3.3 million, so it is important to bear in mind that low cost solutions can potentially cost lots of millions.
Malicious external threats are not the only cyber risk facing organisations and their boards. As our work and home lives become more closely intertwined, IT and governance teams must now consider deploying security measures to protect employees home offices and mobile work set-ups to prevent them from inadvertently sharing or losing sensitive data.
Effectively, data must be protected at every point in its journey through the organisation — and also when shared with authorised third parties — if the risks associated with theft or accidental loss are to be mitigated. With these risks ranging from reputational damage and operational impacts to legal compliance failure and, in the case of the theft of corporate intellectual property, competitive compromise, GRC professionals could be forgiven for wishing that the digital transformation genie could be put back in the bottle. However, competitive drivers mean the business can’t afford to be left behind, something highlighted by the pandemic, where digital laggards found themselves at a considerable disadvantage when establishing remote-working, for example.
So, how can GRC professionals work with colleagues in IT to build a cybersecurity framework that works for board business and beyond?
Choose the Right Technology to Support Processes
The first step is to examine the current processes and associated data flows to identify gaps that can be plugged through further digitisation and the use of supporting tools. For boards, the creation and sharing of confidential board materials is an excellent example. Often companies have digitised part of the process but haven’t yet found an end-to-end solution. So, we might see board packs being created as documents in a secure area on the corporate network by governance team members before being dispatched to directors via email.
There are a couple of weak points in this approach. First, version control and security challenges exist when multiple people are working on the same document. As Diligent SVP and MD Liam Healy put it: “It’s often not the final version that’s the most sensitive; it’s version ten. And if that version is leaked or sent to the wrong email account, that’s a big risk.” Yet this is easily done as team members collaborate to get the job done.
The second risk arises in the distribution phase. Email is not a secure channel through which to share sensitive information. This is even less the case when it is shared outside the corporate network with non-executive directors who may be using personal email accounts. A compromised inbox could see critical data stolen. If the lost data is subject to the stock market or data privacy regulations, its publication or illegal use constitutes a severe compliance failure.
Board-related cyber risk can be mitigated by providing governance teams with secure board management software to create, collaborate and distribute board materials. Tools such as Diligent boards also deliver version control and audit trails, enabling tracked changes and individual access and editing rights locked down to the least privilege levels.
The principle of least privilege and its related philosophy of zero trust networking are gaining currency across the cybersecurity landscape as the traditional corporate network perimeter has dissolved. If GRC professionals understand and implement this in relation to board activities, they can align with colleagues within the broader security space who follow this approach.
Preparing Your Organisation for Today’s ESG Data Challenges and Beyond
Environmental, social and governance (ESG) issues have become more complex and multifaceted than ever before. At the same time, ESG continues to ascend on board and leadership agendas.
On the environmental side, corporations must accelerate their response in areas from water and fossil fuel consumption to environmental waste and climate change, all while navigating social issues such as pay equity and fair labour standards. They must also consider the increased attention to responsible, efficient governance, particularly in areas such as executive compensation and CEO succession.
The EU’s ‘Green Deal’ — launched in 2019 by the European Commission — incorporates notable elements covering the integration of sustainability factors and climate risks into the bloc’s financial policy framework. Subsequently, the EU Regulation on sustainability-related disclosures in the financial services sector (also known as the Sustainable Finance Disclosures Regulation or SFDR) came into effect on March 10 2021.
The SFDR applies to financial-market participants (FMPs) and introduces the concept of Principal Adverse Impacts, which cover sustainability factors that include environmental and social issues and employee, human rights, anti-corruption, and anti-bribery matters.
The EU is phasing in SFDR between now and 2023, although phase two, which involves the “principal adverse sustainability impacts statement”, has now been delayed by six months to July 2022.
Additionally, adopted in July 2021, the EU Taxonomy Disclosure Requirements demand that large companies, banks, asset managers and insurers of certain KPIs report the proportion of environmentally sustainable economic activities in their business, investments, lending or underwriting activities.
As the reporting environment continues to evolve, it is time for GCs, board members, and executive leaders to review their climate leadership goals and frameworks. They must put the right data, technology and reporting in place — to get ahead of environmental disclosure requirements before they become mandatory, and digitalisation can also be the boost companies need to make ESG reporting a seamless reality. The Diligent ESG solution simplifies ESG data collection, benchmarking and reporting, and provides audit-ready documentation and reports for every step of the process. Diligent ESG is intuitive to use and highly flexible, so it can scale as your ESG needs evolve.
Board Portal Buyer’s Guide
With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.
August 4, 2022
Why cybersecurity should be on the ESG agenda
In a digital-first world businesses, governments, and society depend on the availability, reliability, and functionality of technology. In the cyber ecosystem, organisations have a duty to ensure that their networks and resources are protected and used for good, not malicious, purposes. This is why cybersecurity should be part of…
November 24, 2021
Business Environmental Sustainability 101
As business environmental sustainability shifts centre-stage companies need to understand what it means, the role they play, and the benefits and challenges involved in putting the planet on equal footing with profit.
November 24, 2021
Investor Activism: An EMEA Perspective on the Recent Diligent Institute Report
The growth of investor activism has had a considerable impact on the investor landscape. Activist investors are increasingly focusing on ESG concerns, such as board diversity, executive compensation policies, and the extent to which board members possess the skills needed to provide informed oversight.