six principles for board on cyber risk governance

As businesses face the increasing acceleration of digitalisation, the World Economic Forum Global Risk Report 2021 showed that cybersecurity failure ranks fourth in the top short-term risks facing entities.

“As a result of a rapidly-changing cyber-threat landscape and proliferating regulations, it has become clear that boards, especially, need stronger foundations to govern cyber risks effectively,” the report says.

Board directors should adopt the principles outlined in the report when forming an effective cyber-risk governance regime, the report advises. “The board needs to understand cyber risk and its role in governing this threat, to perform its oversight function effectively.”

Six principles of a cyber-resilient organisation

  1. See cybersecurity as a strategic business enabler
  2. Understand the economic drivers and impact of cyber risk
  3. Align cyber-risk management with business needs
  4. Encourage systemic resilience and collaboration
  5. Incorporate cybersecurity expertise into board governance
  6. Ensure organisational design supports cybersecurity

Principle 5: Incorporate cybersecurity expertise into board governance

Considering how pervasive cyber risk has become, many companies are questioning whether they need a cyber expert on their board.

In determining what is right for an individual organisation, the board should consider whether they would be better served by increasing the entire board’s understanding of cyber risk, rather than relying on a single member. They should also consider the interface between cyber-risk management structures already in place with the board as well as the availability of “cyber experts” for recruitment and the specific attributes of expertise necessary in a candidate.

While some companies may choose to recruit board directors with cyber risk or cybersecurity expertise, the report says boards should at a minimum seek external industry guidance as well as the cybersecurity expertise of fellow directors and internal resources to effectively oversee the organisation’s cyber risk.

“In light of the rapidly changing cyber landscape, board directors themselves must continually seek to expand their own knowledge of this topic.”

Key activities the board should be considering are:

  • Building relationships with internal stakeholders who can provide expertise to guide strategic cybersecurity decisions
  • Taking part in opportunities to increase board directors’ base level of knowledge on cyber risk
  • Engaging third-party advisers and assessors who can report to the board regularly to ensure effective oversight of management
  • Periodic audits, reviews of cybersecurity strength and benchmarking by independent third parties
  • Regular sessions to update the board on recent cyber incidents, trends, vulnerabilities and risk predictions, using external third parties where necessary to ensure accuracy and competence.

Who owns cyber-risk?

While the chief information security officer may be some organisations’ foremost cyber-risk expert and main point of contact for the board on cyber-risk issues, directors should look to a variety of executives and managers to ascertain the full impact of cyber risk on an organisation.

Other executives who can support the board’s understanding of cyber risk include the chief risk officer, general counsel/chief legal officer, chief information officer, chief technology officer, chief trust officer and chief privacy officer.

The remaining principles are discussed below.

Principle 1: See cybersecurity as a strategic business enabler

Cybersecurity is more than just an IT issue. Cyber threats are persistent, strategic enterprise risks for all organisations, regardless of the industry in which they operate, the report says.

Key considerations for the board are the need to hardwire cyber-risks into key operational and strategic decision-making processes, including the adoption of cyber risk as a recurring agenda item for full board meetings.

Boards should also view each major new digital transformation initiative through the lens of cyber risk, determine which board committees should have primary oversight of cyber-risk issues and analyse cybersecurity issues as part of strategic implications and as part of enterprise risk. Executives should be asked to identify opportunities to use cybersecurity as a market differentiator or business driver and analyse business strategy and business model considerations with respect to cybersecurity issues, the report says.

In a survey of more than 400 global companies conducted by PwC in Q4 2020, 52 per cent of board member respondents reported making significant progress in improving customer trust in the past three years as a result of strengthened cybersecurity practices.

Principle 2: Understand the economic drivers and impact of cyber risk

Many business initiatives that drive profitability can also increase cyber risk, so in order for organisations to make effective business decisions, scenario planning should be carried out to assess risks that could financially impact the organisation, including trade-offs between digital transformation and cyber risk, the report says.

For example, choosing to enter a new market may have substantial business advantages. However, cyber risks such as additional network connections, theft of IP and new regulatory exposure could be just as, if not more, substantial.

Key considerations for the board include:

  • Reviewing and approving the cyber-risk appetite or tolerance that informs decision-making
  • Ensuring a consistent framework is in place for calculating the potential economic impact and likelihood of cybersecurity scenarios, and
  • Continually examining comparative measurements and metrics for cyber risk.

The board should receive detailed rationales for the organisation’s determination of materiality of risks based on an indication of the risk’s reputational, customer, financial and other relevant impacts.

Principle 3: Align cyber-risk management with business needs

By focusing on how to treat cyber risks (through avoidance, acceptance, mitigation or transfer), organisations can build a security profile that aligns with business needs and defined risk tolerances or risk appetite, the report says.

Effective governance requires clear alignment between cyber-risk management and business objectives across decisions to do with mergers and acquisitions, business transformation, innovation, digitalization, pricing, product development and market expansion.

Key considerations for the board include:

  • Reviewing the organisation’s business strategy and drivers (e.g. digital growth) in the context of cyber-risk implications
  • Requiring management to report to the board on the cybersecurity implications of their activities, and
  • Requesting written and tested plans to counter adverse cyber events.

Management should also integrate cyber-risk analysis into significant business decisions (for example, launching a new product or publishing an app).

Principle 4: Ensure organisational design supports cybersecurity

Key considerations for the board are to review the organisational structure to ensure the cybersecurity function is represented across the business, internal groups and leadership; to understand the basis for and challenge the assignment of important roles and lines of accountability for cybersecurity strategy, policy and execution; and to set expectations that cybersecurity and cyber-risk functions are to receive adequate staffing and funding.

The board should inspire a cybersecurity culture across the various levels of the organisation (e.g. compliance, privacy etc), they should ensure an accountable officer has authority and responsibility for coordinating enterprise-wide cyber-risk strategy, and that the organisation has a comprehensive plan for data governance.

Principle 6: Encourage systemic resilience and collaboration

Cyber risks can arise from a company’s network of partners, suppliers and vendors, so effective cyber-risk strategy includes improving the cyber resilience of industries and sectors, the report says.

Senior leaders must encourage collaboration across their industry and with public and private stakeholders, to ensure each entity supports overall resilience.

Key considerations for the board are to develop a 360-degree view of the organisation’s risk and resilience posture; to develop peer networks to share best governance practices; to ensure management has plans for effective collaboration, especially with the public sector, on improving cyber resilience; to ensure management takes into account risks stemming from broader industry connections (e.g. third parties, vendors and partners); and to encourage management participation in industry groups and knowledge and information-sharing platforms.

The AICD has several tools to assist boards and directors.