20 Apr The role of boards regarding Cybersecurity
Posted at 09:58h in Cybersecurity
The ECA is happy to reproduce the summary of the lecture by our Swiss expert member Marie de Freminville, on the role of boards regarding Cybersecurity.
This lecture has taken place in a meeting organized by Oodrive Switzerland.
“Cybersecurity has become a major concern for business leaders and boards of directors because it directly concerns the company’s image, its sustainability, its strategic and commercial positioning and is therefore strictly in the company’s corporate interest.
A cyberattack can seriously impact the financial performance of a company, as it can prevent the company from doing business: selling, delivering its products or services, paying its suppliers, or billing the customers. It can sometimes lead to the death of the company.
Cyberattacks can also have significant impacts on the company’s valuation.
Therefore, it is the responsibility and duty of Directors to “watch over” and guarantee shareholders and stakeholders that the company is managed with a view to its long-term performance.
The board must also monitor the company’s risk management system (the risks are not the same in all companies), and define a strategy to protect the critical assets: critical data or IT systems.
It is not enough to check that there are security experts in charge of cybersecurity. Too often, the CISOs assess the cyber risks, propose solutions, decide, and they are considered guilty if there is a cyber incident. A CISO cannot be behind each user. He can recommend solutions and define rules, but he needs the support of the management to ensure the application of the rules.
The Board of Directors has to check that the management develops cyberculture by training and raising awareness, as the users are the point of entry of attacks.
A digital or cybersecurity committee is a good practice, like a financial audit committee, It would make it possible to audit cybersecurity systems with an independent view. The goal would be to ensure the quality of cyber information, the reliability of risk management and internal control, the relevance of the cybersecurity system; the monitoring of threats, and the implementation of best practices in cybersecurity.
The board should firstly be well informed: it should be informed about the current threats, the risks the organization is facing, the steps to prevent incidents, the new best practices relating to cyber security
The board should quantify risk: discuss the cost of doing nothing, including reputational and financial damage. Be clear that accepting the status quo is a risk, and illustrate the cost associated with being unprepared.
The Board should then talk about budget: have open conversations about investments in cybersecurity: tools, but also organization, and training
Lastly, the board should address a Business Continuity Plan.”
Written by: Marie de Freminville