High-performing boards understand the risk of cybercrime. They know data breaches can expose organisations to huge economic losses, reputation damage, disclosure problems and class actions. But even the best boards might be unprepared for what’s ahead.
Robert Jackson, Commissioner of the US Securities and Exchange Commission (SEC) this month described cybersecurity as “the most pressing issue in corporate governance today”. He said cybersecurity is much more than a technology or regulatory issue; it is fundamentally about governance.
“Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention,” Jackson said in a speech in the US, which the Harvard Law School Forum for Corporate Governance and Financial Regulation this week published.
Jackson added: “In short: the cyber threat is a corporate governance issue. The companies that handle it best will have relevant expertise in the boardroom and C-suite, a strategy for engagement with investors and the public and – most of all – sound advice from corporate counsel who can navigate uncertain law in a critical area for the company’s business.”
Jackson’s advice is timely for boards. Cybercrime will cost the global economy US$6 trillion annually by 2021, tech researcher Cybersecurity Ventures estimated last year. If correct, cybercrime’s cost will have doubled since 2015, representing one of the greatest transfers of wealth in human history.
More than 1,000 data breaches in the US alone in 2016 cost companies there an estimated US$100 billion, according to the Identity Theft Resource Centre. Major data breaches involving Target, Uber and Yahoo and other conglomerates have caused huge damage.
Target’s cyber-attack in 2013 highlighted the danger and unpredictability of data breaches. As hackers breached Target’s cyber defences through one of the company’s smaller suppliers, organisations realised cybersecurity strategies must extend throughout their supply chain, adding to complexity on this issue for executive teams and boards.
Giant search engine Yahoo! reported two major data breaches in late 2016 that affected over 500 million user accounts. Yahoo! was widely criticised for the delay in reporting the breaches, considered to be the largest in history, and now faces several lawsuits.
A data breach at transport-technology platform Uber in late 2017 affected 57 million users. The data breach, which involved the theft of user names, emails and mobile phone numbers, reportedly occurred in 2016. Like Yahoo!, Uber was criticised for the delay in disclosing the breach and its earlier attempts to conceal it. Both examples highlight the risks for boards if material data-breach information is hidden or it takes too long to disclose it.
Priority governance issue
Jackson says cybersecurity has rocketed to the top of boardroom issues in the US. “When I was in (legal) practice over a decade ago, these issues weren’t even on the radar screen of many corporate directors. Today, there is no doubt for top corporate counsel: if you’re not talking about cyber risk with your clients in the boardroom, you’re making a mistake.”
The cybersecurity challenge for boards is much broader than ensuring the organisation has robust online security. Knowing when and how to disclose data breaches will become a bigger issue for listed companies as cybercrime becomes material for share prices.
The SEC last month provided guidance on public-company cybersecurity disclosure – a development Australian boards should follow given the US has been several years ahead of us on cybersecurity reporting and market disclosure.
The European Union is also prioritising cybersecurity. The EU in 2017 proposed a new Cybersecurity Act and EU member states have until May 2018 to implement the Network and Information Systems (NIS) Directive, the first EU-wide legislation on cybersecurity. The directive has requirements on cybersecurity incidence response and reporting.
The SEC acknowledges that companies do not want to provide specific information that could provide a “roadmap” on how to breach its systems, and that it can take time for organisations to understand the materiality of data breaches. But it counsels against companies providing generic cybersecurity-related disclosures or taking too long to make them.
The guidelines outline a range of issues US companies should consider in cybersecurity disclosure; for example, the severity and frequency of prior cyber-attacks; the probability of their occurrence and the magnitude of cybersecurity incidents.
The SEC also includes “board risk oversight” in the guidelines. It encourages companies to disclose how their board administers its risk-management oversight function of cybersecurity risks that are material to the organisation. The guidance recommends companies include a discussion on how the board interacts with management on cybersecurity issues.
The SEC is encouraging companies to adopt comprehensive policies and procedures on cybersecurity, to assess policy compliance regularly, and to determine if there is appropriate disclosure on data breaches and policies.
The guidelines also canvass the risk of insider trading with data breaches. There have been incidents overseas of company insiders trading securities for personal gain, after learning of data breaches. Prominent “hacking” events can drive share prices of affected organisations sharply lower, creating opportunities for traders with inside knowledge.
The thrust of the SEC’s cyber approach is clear: boards must ensure their organisation has robust cybersecurity compliance systems, that directors monitor them through normal risk-management processes and that market disclosures, where necessary, are made promptly.
Australia making up lost ground
New data-breach notification laws in Australia have brought this market closer to the US and Europe on disclosure. Australia previously did not have mandatory data-breach disclosure requirements, meaning it is possible that some affected organisations chose not to report they had been hacked – and that cybercrime is a bigger problem here than reported.
The Notifiable Data Breaches scheme, effective from February 22, requires organisations to alert the Australian Information Commissioner and all affected clients if a hacking of their information could result in serious harm. The new laws apply to businesses, not-for-profits and government agencies with annual turnover of at least $3 million.
In the US, a leader in data-breach disclosure, companies routinely alert customers when their information has been hacked. A telecommunications company, for example, might inform customers by mail that their data was hacked and that the problem has been resolved.
The Notifiable Data Breaches scheme adds to pressure on Australian boards to ensure the organisation is monitoring and disclosing significant data breaches. Cybersecurity disclosure can be problematic for listed Australian companies and their boards, which must assess if a data breach is material and needs to be disclosed under The Corporations Act and ASX Listing Rules.
Unlike the US, Australia does not have detailed regulatory guidelines on cybersecurity for listed companies. The Australian Securities and Investments Commission has issued useful reports on cybersecurity to inform organisations and boards on the issue and the Australian Securities Exchange has surveyed the market’s largest companies on the threat.
But it may not be until the next version of the ASX Corporate Governance Principles and Recommendations is released that more specific guidance for listed companies on cybersecurity reporting and disclosure, which would be voluntary, is given.
Australian boards must ensure they are up-to-date with latest cybersecurity trends and governance practices. A starting point is to view cybersecurity as an organisation-wide issue, rather than mostly a technology one.
In the interim, Australian boards must ensure they are up-to-date with latest cybersecurity trends and governance practices. A starting point is to view cybersecurity as an organisation-wide issue, rather than mostly a technology one.
Boards should be satisfied the organisation has the right internal and external resources to safeguard against cybersecurity threats: does the executive team have sufficient cybersecurity expertise and is there enough cybersecurity knowledge and experience among directors?
Directors should test how the organisation designs and implements its cybersecurity strategy. Is the cybersecurity approach aligned to the organisation’s broader strategy? Who is responsible for cybersecurity and have cross-functional teams been established to deal with it? How does the board architecture of the organisation’s technology systems deal with cyber risks?
Boards should view cybersecurity as an issue affecting all parts of the organisation. Technology is central to cybersecurity, but so too is human resources given that many breaches results from disgruntled employees or others who lose company equipment or share passwords. Also, finding and keeping top cybersecurity professionals is becoming a bigger recruitment issue, as is training all staff on basic cybersecurity skills.
Cybersecurity is equally a marketing issue given the potential for data breaches to damage corporate brands and sales. It’s also a legal issue as companies report on data breaches and review their legal frameworks, such as supplier contracts, to protect against cybersecurity damage. It is an investor-relations issue as listed companies disclose breaches to the market.
The point is: organisations need a parallel approach to cybersecurity: a strong technology focus and an additional layer of compliance, reporting and disclosure that goes with it. As ASIC has noted, cybersecurity should be part of organisation culture, which in turn means it must be ingrained in the firm’s leadership, talent and skills development and succession planning.
For boards, that requires testing cybersecurity through a multi-faceted approach and ensuring the organisation is up for one of the greatest challenges of our time: the coming wave of cybercrime that could reshape the digital economy and governance as we know it.