Cyber risk is a major concern for businesses [4], and boards need to have a strong foundation in governing these risks [4]. However, many board members struggle to understand and address cyber security risks [3], putting businesses at a higher risk of attacks [2]. This lack of understanding has significant business impacts [2], but there are steps that boards can take to improve their cyber expertise and preparedness.
Description
According to a report by cybersecurity consultancy Savanti, 59% of directors feel their board is not effective in understanding the drivers and impacts of cyber risks [3], despite ranking cyber security as a top priority [3]. The report recommends that boards have at least one member with direct experience in cyber security [3], discuss cyber security at least quarterly in board meetings [3], and understand the recovery time from a disruptive cyber attack [1] [3]. It also highlights the increasing global cyberattacks [1], with a 38% increase in 2022 compared to 2021 [1].
The lack of understanding among board directors has significant business impacts, as enterprises with effective cyber preparedness experience higher revenue growth [2], valuations [2], and net margins [2]. Cyber attacks can lead to higher insurance premiums, business disruption [2], reputational damage [2], and more. Board interest in cybersecurity is growing due to media reporting [2], investor pressure [2], and regulatory changes [2]. However, many board directors struggle to challenge information from their organization’s Chief Information Security Officer (CISO).
To develop an effective cybersecurity governance strategy [2], Savanti suggests five steps [2], including smart and focused regulation and pressure from investors and public bodies [2]. Companies that effectively manage all risks [4], including cyber risks [4], perform better in the marketplace [4]. The report provides guidance for corporate directors on developing a cybersecurity strategy and engaging with stakeholders on the issue of cyber risk [4]. It offers six consensus principles for cybersecurity board governance and provides advice and critical actions for directors to understand their organization’s current position [4], exercise oversight [4], and set future goals [4].
Conclusion
The lack of understanding and awareness among board directors regarding cyber risks can have significant impacts on businesses. It is crucial for boards to improve their cyber expertise, especially with new security regulations coming into force [2]. By having board members with direct experience in cyber security [1] [3], discussing cyber security at board meetings [1], and understanding the recovery time from a disruptive cyber attack [1] [3], boards can better protect their organizations.
The increasing global cyberattacks highlight the urgency for boards to take action. Boards need to stay ahead of cyber regulation [1], report on relevant expertise and risk management arrangements [1], and address their lack of understanding [1]. Effective cyber security not only mitigates risks but also leads to higher revenue growth and investor confidence. Boards must recognize the importance of cyber security and take proactive measures to ensure the resilience of their organizations in the face of cyber threats.
References
[1] https://www.adsadvance.co.uk/many-uk-companies-struggling-with-cyber-security.html
[2] https://www.infosecurity-magazine.com/news/board-members-understand-cyber/
[3] https://www.business-money.com/announcements/more-uk-companies-failing-to-tackle-cyber-security-says-new-report/
[4] https://www.weforum.org/reports/principles-for-board-governance-of-cyber-risk
