Many boards still see Cyber-risk as an IT issue. It is vital that they see it as a business risk. Tom Draper of Arthur J. Gallagher discusses how to get them engaged.
Cybercrime is rapidly becomming one of the biggest threats a business faces - a fact well illustreated by the latest survey of Airmic members. In PwC’s recent 19th annual global CEO survey, nearly two thirds of respondents listed cyber security as one of the top ten key threats to their company and as the “internet of things” becomes a reality and businesses becomes more digital, the risk will only increase. But there is still a lack of understanding at a board level as to what constitutes cybercrime and how companies should react to a cyber-incident.
Cybercrime encompasses three elements: a data breach, where information has been stolen, cyber interruption, where networks have been compromised or financial, where money has been stolen. Cybercriminals either pursue money or information and the disruption caused by their intervention is generally a composite of those motivations. For FTSE companies the greatest threats are the first two: loss of data and network failure and it’s imperative that the board knows how to respond in the event that either of these should occur.
Many board executives are aware of “cyber” but perceive it as an IT issue so we have seen companies delegate responsibility for managing this risk to the Head of IT. The reality is that is it a business risk so it is the company’s collective responsibility to take a proactive attitude towards cybersecurity and implementing a cyber-aware culture requires a top down approach.
Being prepared is at the heart of any company’s response and the board is responsible for overseeing the creation and testing of an incident response plan. The board needs to understand what the business is reporting in terms of cyber risk and then provide appropriate responses to manage the threat. For example, helping procure funds for the security and wider risk management teams so they can run table top exercises to test the systems and educate staff on recognising phishing emails and other forms of attacks.
The board should also be challenging the executive team on what would happen in different scenarios, ensuring that escalation procedures have been tested and the necessary internal structures are in place to respond to a breach. This includes ensuring a crisis communications plan is in place to manage and control the messaging in the event of the attack; it’s important that companies implement a coordinated and orderly approach to communicating in the event of a cyber-crisis.
In the event of an attack, the board should have limited involvement. It plays a key role in helping the business strengthen its defences against an event, by providing strategic counsel on managing the risk and helping to implement a culture of cyber resilience. Companies need to spend time conducting full risk assessments to understand the threats they face from cybercriminals, the impact that lost data and information will have on the business and how insurance can be used to help transfer the cost of the risk.
Cyber is a company risk and needs to be recognised by the board and senior management as a serious and realistic threat. As such it should be approached like a health and safety issue, terrorism issue or similar crisis events. It is the board’s responsibility to consider how the risks can be managed, what steps can be taken to minimise the fallout from a breach and the role of communications in the event of an attack.
Tom Draper is Head of Cyber at Arthur J. Gallagher