Board behaviour and effectiveness are becoming increasingly visible to investors and other stakeholders. In the past few years, all stakeholders incl. The European Commission has reinforced its focus on corporate governance matters, issuing several rules and guidelines in this regard. Most of these global mandates raise, among other aspects, the issue of increased board accountability to the stakeholders and responsibility in the corporate governance framework through better functioning and more appropriate structures.
The board plays a crucial role in ensuring that the company is adequately managing its cybersecurity risk. The first task is that the board must appropriately prioritise cybersecurity and ensure cybersecurity policies and procedures are in place and appropriately funded. There is no such thing as cheap data.
Companies have various approaches to board evaluation in terms of methodology and objectives. In setting up the framework. However, in connection with the missing IT, Data and Cybersecurity element each board evaluation must contain;
- whether the exercise will identify the IT and data skills in the board composition
- Is there a commitment to IT governance and the cybersecurity training and awareness as a compliance exercise,
- Will added IT, and data knowledge sustain the performance of the board.
The assets that can be compromised in the event of an IT or Cyberthreat or breach?
The traditional evaluations based on best practice laid out in the global corporate governance codes do not address the new risks and threats when listed companies are conducting board performance evaluations. Board evaluation must develop as a vital process for improving board performance and dynamics, whatever the size, status or type of organisation by focusing on the enterprise-wide IT risk management framework to address the issues on inadequate staffing and resources to ensure awareness and oversee multiple organisational risks including IT- and cybersecurity.
Most evaluations typically do not include a vital component, and that is the increasing need to understand that IT security, Data Protection, Data Privacy and cyber crime is a risk management issue that affects the entire organisation and not only does it require the board oversight but it is a board responsibility. Although the Board of Directors are aware that they need to stay informed about cybersecurity, keeping up with it in the complex, rapidly evolving the world of IT. Data Privacy and IT Security is often a challenge. Almost all Governance survey of the board or IT or audit committee members found that only approx. 20% percent of directors approve that their company has cybersecurity risk well under control.
Therefore ensure that the following 10 IT- and Cybersecurity components have a place in the next board evaluation;
- Cybersecurity risks are well under control
- IT executive (CISO) occasionally reports to the board
- Identify the key questions directors should be asking — both of themselves and management
- Highlight the board’s role in overseeing cyber risk and cyber threats
- Has the board information on how to acquire and monetise information on personal data?
- Identify the issues on Business Continuity and IT and cyber threats that can disrupt the business, deliver reputational damage and impair the value of the enterprise
- Categorise the areas of regulatory investigations, loss of intellectual property and financial risk from fraudulent transactions
- Have the Boards ensured that there is executive ownership on IT security also relating to decisions about new programs and products?
- Recognise that cyber risk cannot be eliminated, and breaches are inevitable even with the best plans have flaws.
- Review the IT and cyber risk intelligence and mitigation plan and the response plan in the event of a breach.
Allocate resources based on the Data and IT risk appetite and strategic assets
During the evaluation potential vulnerabilities that the company has to its IT network environment so that the BoD is aware who can connect and infiltrate the systems, which third parties have access and who approves it and how is the mobile and social media handled as a policy from the board.
Therefore, the board must start the IT, Data and Cybersecurity journey so that it has the technical capabilities and does not panic or is uncertain when a malicious cyber event in real-time is identified. It must be aware how the penetration testing and response plan in the event of a breach/attack is working and how often is the response plan tested to avoid black screens as many companies have experienced.
With the above, IT and Data focus the board will meet the regulatory requirements and may even be part of the motivation behind the IT security exercises as the primary driver as part of the tone-from-the -top and become a high-performing board, well-suited to anticipate, meet and overcome the challenges ahead.
At our Certification Seminars,most of the above issues will be discussed for a Board of Directors and Senior Management Accountability rand Responsibility concerns.