• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
  • Editorial Calendar 19-20
BW Businessworld

Cyber Risk As Board Room Agenda

Photo Credit :

Recently we have seen a number of highly damaging cyber-attacks against enterprises holding sensitive data, valuable intellectual property and financial assets. In one of the largest information security breaches in recent times, cyber-attackers purportedly breached the systems months before it was noticed. Today, if your organisation hasn’t already been a target of a cyber-attack, it may be that either you don’t know or there is a high likelihood that you will be a target in the near future.

With the high pace growth of Information Technology and now disruptive technologies, in the business world today, Cyber risk is a crucial issue for the business leaders. Organisations are expanding horizons with the use of SMAC (Social, Mobile, Analytics and Cloud) and are increasingly demanding these new dimensions for the business growth. As each of these new developments further reshape thetechnology landscape, cyber risk is becoming an increasing complex challenge for organisations to manage.

Because of these changes in the business landscape, the earlier thought of ‘sufficient’ computer security and data protection strategies a few years ago – are no longer enough. As organisations struggle to implement better security measures, many are falling victim to cyber-attacks. Today, organisations of all types and in all industries are potential victims of cyber-attacks. Such attacks disrupt the normal course of business and cause significant financial and reputational harm. Thus cyber risk is an outcome of the dependence of businesses on the technology and cyber world and for the same reasons it needs to be an essential item of boardroom agenda.

The Boards Role in the Cyber World
In the recent past, the term “Cyber risk” has not been frequently heard or addressed in the boardroom. Cyber risk was often referred to as an information technology risk, and management and monitoring of the same were the responsibility of the CIO, CTO or CISO, not the board. In many companies,audit committees are often delegated the task of overseeing the risk programmes and policies, including cybersecurity/ risks. The trend is to form committees which are delegated the task of overseeing risks associated with their areas of expertise. This has resulted in boards not addressing the responsibilities of Cyber risk management adequately and this poses wider risks in protecting assets, company’s reputation and brand management.

Cyber risk is a significant risk that can have a material impact. With the rapidly advancing changes in technology over the last few years, cyber risk has become an increasingly important and challenging risk that board members are being compelled to address. Today Cyber Risks is one of the topics which should be discussed at the full board level rather than left solely with a committee.At least annually, boards should proactively review budgets in this area, conduct periodic assessments of security programs, review level of implementation of policies for security and privacy, regularly receive reports detailing independent assessment of breaches and IT risks in the company, lead education and awareness programs company-wide, and treat cyber risk as a priority.

Questions Board of directors need to ask:
•    Is there someone on the board who serves as Cyber expert and/or understands cyber risks?
•    Has management prioritised the organisation’s information assets (critical information that provides the organization its competitive advantage) – that may be the target for a cyber-attack? Is the management managing the security of those assets effectively and the risks associated with them?
•    How well does our organization track digital information? When we share that information with third parties, such as suppliers, are we confident their cyber security programs are able to protect information as effectively as our own?
•    Does our organisation have asecurity operation and is it proactively managing cyber threats? What steps does the management take to consistently identify emerging threats and automate and monitor the environment to protect the organization from such threats?
•    Do our people need to be better educated about cyber security?How well do our people understand our cyber risks, and the nature of cyber-attacks that may target them?
•    Do we regularly report on the state of security within our organization? Has the management identified key risk indicators and track progress? Are we improving our overall security posture?

Concluding Thoughts
For effectively managing cyber risks of an organisation, cyber security programme should be overseen by the board of directors as part of its role of the organisation’s risk management activities. The board and its directors should become more proactive in evaluating cybersecurity risk exposure as an enterprise-wide risk management issue and not limiting it to an IT concern. As with other risk programs, the board should set its expectations from and accountability for the management and ensure there are adequate resources, funding and focus for its cyber security activities.

As boards of directors take up more active role to ensure that the organisation protects and maximises the value of their information assets both within and outside the company walls; the organisation will be in a better position to take advantage of the opportunities that arise through digital and disruptive technology. Due to these risks and opportunities, we would not be surprised to see a board level leadership for Cyber risk in the long run.

(The author, Abhay Gupte, is Senior Director, Deloitte Touche Tohmatsu India Private Limited)

Tags assigned to this article:
corporate web exclusives othertop2 cyber risk abhay gupte