Adding Cyber Security to Corporate Risk Management
Corporate boards and senior management like to focus on business. They love the numbers, the strategy and the success of a business operation. They have a passion for it and that is why they are sitting on board or managing a global company.
They do not like to talk as much about risks, much less plan for them. When it comes to information governance and protecting the company from hackers and cyber-intruders who can harm the company, corporate leaders inevitably turn to their information technology specialists.
This dynamic has to change. Information governance is now part of the corporate risk management fabric. If you look at all the data breach incidents, one significant omission is the failure of the company to have in place an incident response plan to escalate and minimize any damage.
Even more than an incident plan is needed these days – companies have to devote resources and attention to assessing data vulnerabilities and protecting against hackers and other intruders. At the same time, companies face serious internal risks created by BYOD policies and practices, as well as simple employee mistakes.
Cyber risks have become a fundamental focus for investors, and the SEC requires disclosures of material events relating to cyber intrusions. So far, few companies have made such disclosures.
Corporate boards have to become proactive in this area – they need to ask the tough questions.
- Does the company have an incident response plan in place to reduce the impact of a security breach?
- Are the key stakeholders assigned specific roles in this process?
- Does the board have a reporting mechanism in place to monitor these occurrences and ensure that the company responds appropriately to such an incident?
It is easy to focus on the crisis management scenario without adequately investing in the up-front measures to protect a cyber intrusion. Companies have to spend more on the proactive approach to minimize risks. This is a familiar refrain when addressing a number of risks but when you consider the financial and reputational damage from a cyber attack, a company has to prioritize cyber risks.
Cyber security is not just an issue that should be relegated to the information technology specialists. Board members and senior managers have to become more familiar with technology issues in order to manage these risks. Reporting lines and authorities have to be made clear well in advance of cyber attack so that the risks can be managed.
Finally, once a governance structure is put in place to address these issues, the company has to devote time and energy to test its incident responses. Companies will quickly learn some strategies that work and some that do not. Call it a cyber-fire drill but such exercises are well worth the time and attention in order to avoid disastrous events.
In addressing cyber risks, companies often ignore the risks created by their vendors. Companies have to assess the risks that vendors create for their companies. It is too easy to ignore vendor risks and focus on internal risks. A vendor-created cyber security risk complicates risk management and a response and usually spills into lengthy and complex litigation.
You say “When it comes to information governance and protecting the company from hackers and cyber-intruders who can harm the company, corporate leaders inevitably turn to their information technology specialists.”
Perhaps the answer is that Corporate Leadership needs to embrace and include information technology specialists?
As a board director I have never had any issue with the company taking its Cyber Risks seriously – because I was also the IT leader I simply ensured that it happened and my board colleagues understood and agreed. All companies of any substance are now utterly dependent on information technology, so I think it’s fair to suggest that any board which does not include an information technologist is inadequate for the purpose of providing governance and direction to the enterprise – the cyber-risk dimension is merely a red herring symptomatic of the undelying inadequacy of board understanding of IT.