Skip to main content

Cybersecurity and a Corporate Board of Directors’ Responsibility

Headlines about cybersecurity threats, malware-infected parts, and compromised websites are a frequent occurrence that has proven time and again to be devastating PR and IT debacles for enterprises. With new types of risks always on the edge of the periphery, private and public sectors are ramping up initiatives to protect assets, business functions, and consumers from costly breaches. In 2019, it was projected that cybercrime would cost businesses around $2 trillion.

Hackers target sensitive information, such as identity, password, bank numbers, username, and accounts. Financial institutions, SaaS, and high growth businesses are, particularly at risk.

“A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole. It is incumbent on the board of directors to demand information and insight on the issues that could affect the future of the organization. Cybersecurity is one such issue,” wrote Tom Horton in Directors and Boards, Cybersecurity: What the Board of Directors Needs to Ask.

Addressing Challenges

Cybersecurity’s ramifications surpass the IT department — affecting the whole organization. According to a study from the National Association of Corporate Director, only 37% of board members felt their company was properly secured against a cyberattack (the 2017 statistic, falling from 42% in 2016).

The board of directors must identify their organization’s vulnerabilities and work to build preparedness with the executive team, which includes understanding what information needs to be protected, where are the risks and who may attack the organization, and how the organization will react in the case that it is attacked.

Outside forces beyond the organization’s control, regulations, associated security measures, and incident response costs, and the staff’s ability to respond and support cybersecurity initiatives are important additional considerations.

Current Climate

Regulators are focused on protecting consumers and organizations by setting standards for operational resilience and resiliency plans. The Department of Justice has also issued cybersecurity guidelines for board members.

While many of the day-to-day operations and cybersecurity minutiae are not necessary for the board to oversee, the group should have a strong understanding of what happens in the event that cybersecurity impacts the business. CIO Magazine says key information pieces encompass a whole view of how critical business processes could be affected by a breach, how decisions are made in an emergency, and how company compliance can impact a breach.

Proactive Measures Can Be Taken From Within

It is up to the organization’s board to build a culture of security, setting expectations for management and deciding on a structure that is either board direct oversight or a cyber risk committee.

Risk consultant Rayleen M. Pirnie suggests that the corporate board take the following actions for identifying and mitigating cybersecurity risks:

  • Set the tone from the top and build a security culture
  • Identify, measure, mitigate, and monitor risks
  • Develop risk management processes commensurate with the risks and complexity of the institution
  • Shore vendor management program to ensure that all third party vendors are in compliance
  • Align cybersecurity strategy with business strategy and accounting for how risks will be managed now and in the future
  • Create a governance process to ensure ongoing awareness and accountability, including the formation of a cybersecurity committee
  • Ensure timely reports to senior management that include meaningful information addressing the institution’s vulnerability to cyber risks
  • Assess insurance coverage and needs

A corresponding Cyber Incident Response Plan goes beyond a Disaster Recovery Plan and is designed to limit damage, increase the confidence of stakeholders, reduce recovery time and cost, protect account holder information, and protect the integrity of payments says, Pirnie.

Cybersecurity is a real threat and should be taken seriously across industries. Mitigate risks, minimize damage and keep operations on the up-and-up in the event of a cybersecurity threat by unifying the board’s vision of a comprehensive response plan and keeping proactive and reactive measures up to speed.