KPMG
Don’t knock opportunity
Climate change reporting is challenging, but provides a unique opportunity for boards to add value.
The working world is increasingly digitised, and cybercriminals are forever employing more sophisticated tactics to exploit businesses. The consequences, should they succeed, range from mildly inconvenient to catastrophic.
Just a few years ago, cyber security was dismissed as an IT problem in need of an IT solution, beyond the scope of the board’s responsibilities. Today, directors in general are recognising they should approach cyber security as both a strategic business enabler and an enterprise-wide risk management issue.
Yet, despite climbing the list of priorities, cyber security remains a daunting prospect for many boards. Whether it’s a scarcity in expertise, a lack of awareness of the cyber risk landscape, or the very real challenge of translating this complex and dynamic field into business context, the resulting lack of scrutiny and management at the board-level is still putting many companies at risk.
Here are five things directors can do to add value at their next board meeting:
Understanding what business functions and information you are trying to protect, and how they could be impacted in an incident, is the critical first step for directing effort and budget. Cyber risk is in a constant state of flux as threats and their potential impacts evolve and change.
There are fundamental approaches to managing cyber risk; for example, effective incident response planning can reduce a wide range of risks. However, as cyber threats evolve so should your organisation’s focus. Maintaining an understanding of the threat landscape enables your board and organisation to adapt over time.
Most businesses have thousands of vulnerabilities that might expose you. As a board, you need to be clear with management about which risks require your attention, what you need to know about them, and how you want that information presented in a way that is useful.
By communicating your needs for reporting clearly, the people who are at the frontline, managing your organisation’s security controls, have a blueprint for how to distil complex information in a way the board can understand and act on.
The board plays a critical role in incident response management before, during and after an incident. Failing to plan is planning to fail. Robust preparation for an incident improves your chances of minimising impacts. An incident response plan to guide how you should respond to a range of risks, threats and disruptive events is imperative.
In addition to guidance on detecting, analysing, containing, eradicating and recovering from an incident, it should include criteria by which management should inform and consult the board. When an incident occurs, the board should provide oversight of the crisis management team’s response, looking for blind spots and ensuring the response is properly resourced. Particularly in the absence of a tested plan, an incident may be extremely stressful, technically overwhelming, emotionally and financially draining and completely unfamiliar for your management team.
Boards should keep a close eye on the performance of their team to avoid exposing the company to further risk or impact. Depending on the scale and severity of the crisis event, the board’s role may change from oversight to leadership, should the board need to exercise its decision-making powers (for example, getting external support if the board feels its internal teams need expert guidance).
Finally, it is critical the board has a thorough understanding of its legal responsibilities and keeps abreast of changing regulatory requirements. Regulatory bodies, such as the Financial Markets Authority and the Privacy Commissioner, may require notification, as do some insurers.
Boards should proactively engage with emerging trends so they can anticipate new and developing threats and respond accordingly. Cloud-based cyberattacks have massively increased in the past year. Companies are putting more of their critical workloads on the cloud, and malicious actors have responded by pivoting to cloud-specific attacks. The same applies to legislative and regulatory trends overseas because chances are they will make their way to our shores, too.
In Australia, for example, we are seeing an increasing amount of class action lawsuits and new cyber security regulation with culpability falling on the shoulders of CISOs and CEOs. New Zealand legislation is relatively light, but there is an increasing expectation of a duty of care for how companies manage their customers data. We may see these expectations enforced through legislation or the courts – cyber regulation may be on a similar trajectory to the health and safety responsibilities placed on directors.
Board members retain and store large amounts of critical and confidential company information. This can pose a significant threat if that information is not managed safely. What’s more, board members can become an ‘attack surface’ if they sit on multiple companies and don’t use different systems to segregate and store information.
In addition to all the usual precautions, such as multi-factor authentication and being aware of potential phishing attacks, board members should ensure company information is segregated and encrypted in transit and at rest.
Cyber security is a holistic business risk that touches your organisation’s technology, people and processes. You don’t need to be an expert to add value to conversations at the boardroom table. Rather, in addition to making cyber security a regular agenda item at board meetings, simply implementing these five easy steps will go a long way to reducing your organisation’s risk.