08 Dec European Cybersecurity Campaign – Opinions and Experiences
FINANCIAL & CYBER PERFORMANCE – Starboard Advisory
Starboard Advisory Performance Gouvernance Numérique Cybersécurité (starboard-advisory.com)
Why not assess the cyber performance of companies in the same way as their financial and non-financial performance (governance and CSR – corporate social responsibility)? Why not certify the cyber performance of companies in the same way as their financial performance via auditors, whose intervention is mandatory for companies of a certain size?
Despite some progress, the vast majority of shareholders, and therefore the Board of Directors and management, are primarily interested in the company’s financial performance. However, the digital age is introducing upheavals in the company and in its ecosystem. Indeed, the “all-digital” concerns all stakeholders, administration, public services and national and international infrastructures, defense and intelligence services. We have reached a stage of non-return, which offers important opportunities, but which is also a source of fragility and major risks, particularly because cyber threat actors are becoming more professional and have significant resources to defraud, spy and sabotage. The risks for companies are systemic: shareholders are financially exposed and directors, in charge of defining their strategy and ensuring their sustainability, are legally exposed if they do not inform themselves about the quality of data security and information system protection and if they do not ensure that an organization, procedures and tools for a high level of cybersecurity are in place. There is no such thing as zero risk, but the negligence of a board of directors would be associated to it if no action were taken in the field of cybersecurity of the company and if the attacks had significant consequences for its proper functioning, profitability and reputation. Financial performance should therefore no longer be the only priority. Financial performance and cyber performance should now be the two priorities of corporate governance bodies.
Should we therefore reinvent the governance body designated by the national actions, namely its competences, its functioning, its agenda and its partners?
The digital world is borderless, immaterial, the threats are invisible. Digital and related new technologies are transforming the way companies operate and business models. The main cyber-risks are risks of malfunctioning of the industrial or commercial process, financial risks but also risks of loss of considerable confidential information (strategic information, personal information) and affect different sectors: hospitals, autonomous cars, banks, telecom operators, energy, etc., with potential human consequences. According to a study conducted in the United States by the National Archives and Records Administration in 2018, 93% of companies that lost their data for ten or more days declared bankruptcy in the year of the disaster and half (50%) filed for bankruptcy immediately after the attack. The question is not “when will we be attacked?”, but “what can we do to protect the company as much as possible, what can we do in the event of an attack, what can we do to restore systems as quickly as possible?” Cyber-risk is an integral part of companies and also of personal organizations (everyone is concerned individually and as a member of an organization). It is not just a technical risk. Man is the weakest (and strongest) link in the entire safety chain.
There are cyberdeaths among the victims. Cyber-silence is a barrier to awareness. There are too many executives and directors burying one’s head in the sand.
Companies are judged on their financial performance: their accounts, their results, their balance sheet, their cash position, their share price, their growth and earnings potential, their non-financial performance (their governance and their social and environmental performance), but… What about their cyber performance? Data governance, data security: integrity, confidentiality and accessibility, protection of the personal data they collect, use and archive, protection of computer systems that allow the exchange, storage and modification of these data. A company may be financially successful, but a failure of its IT system or digital security can seriously affect its ability to sell or produce, to pay its suppliers, to exchange with its subcontractors and thus degrade its financial results, its reputation, the confidence of shareholders and stakeholders. Cyber-risks are not the prerogative of a handful of specialists in the company but affect overall governance. In addition to the regulatory obligations regarding data security, it is a matter of protecting the company against the risk of loss of value, linked for example to the dissemination of confidential information. “All connected, all committed, all responsible” is the slogan communicated by Guillaume Poupard, ANSSI’s Director General at FIC 20191 , from top to bottom and from bottom to top of private or public organizations: the Board of Directors, the Executive Committee and all the teams.
There are cyberdeaths among the victims. Cyber-silence is a barrier to awareness. There are too many executives and directors burying one’s head in the sand.
The missions of Starboard Advisory are mainly to:
– Raise the awareness of executive and non-executive directors about the necessity of a digital strategy, responsibilities and liabilities of the directors,
– Advise them on how to implement cyber risk management and cyber security programs in their companies – Support them in the building of a cyber culture in their companies, through training programs (users, IT teams, developers, managers and directors), and security policies
– Help them defining the appropriate cyber governance (organization, competences, processes and policies, internal audit, external audits)
– Advise them defining their digital strategy and allocating the right level of resources.
Marie de Fréminville is a non-executive director and founding partner of Starboard Advisory. She is also a member of the IFA (French Institute of non-executive Directors), HEC Governance and Swiss Association of Women Directors. In addition, de Fréminville is an expert in governance, financial performance, risk mapping and data protection. Author of “Cybersecurity and decision makers” awarded by the International Cybersecurity Forum, in 2020.
Visit their website or follow Marie de Fréminville on Linkedin