Boards of directors must increase scrutiny, oversight of cyber defenses: Here’s how they can do it

Man with a laptop looking at computer servers in a server room

The growth in cyberattacks leaves organizations a choice: be a victim or muster the resiliency to emerge stronger if disaster strikes. The most cyber resilient respond to an incident, repair the vulnerabilities and apply the lessons to strategies for the future.

Cause for concern

A culture of resiliency is particularly urgent given some alarming findings. One-in-three companies has experienced a serious cyber incident that included disrupted operations, impaired financials and damaged reputations, according to a recent study from the Economic Intelligence Unit (EIU), sponsored by Willis Towers Watson. The stark reality was identified by a group of 452 board members, C-suite executives and directors with responsibility for cyber resilience at large companies.

Most participants also expect another event over the next 12 months, and stated that they lack confidence in their ability to source talent and develop a cyber-savvy workforce. Executives cite the magnitude of the reputational and financial risk as the most important factors for board oversight.

Perhaps this explains why 80% of respondents in our 2018 Willis Towers Watson ManagementLiability (D&O) U.S. Survey — directors and officers, risk managers, treasurers and legal and compliance individuals from 77 large corporations — identify cyber threats as the number one concern for their companies.

Board action is imperative

Board members can start to get a handle on this increasingly important issue by understanding their organization’s cyber-risk exposure. They must recognize how their fiduciary duties now include a charge to ensure their organizations’ level of cyber resiliency meets rising demands.

In particular, board member should be thinking about and discussing stronger governance of cyber management.

Stronger governance over cyber-defense programs gives new purpose to existing board duties:

  • Fiduciary duties and the duty to act in the interest of the corporation: A carefully thought out cyber program with strong response protocols supports this important duty.
  • Duty of care, to carry out responsibilities in a way prudent persons would reasonably act: In the event of a cyber-incident, board members should thoroughly review what went wrong and how that can be corrected to prevent future occurrences. This could include educating employees and vendors to increase cyber safety awareness.
  • Duty of obedience that ensures operations reflect an organization’s stated purposes and complies with all laws: The importance of understanding and complying with cyber guidelines must be impressed upon employees. Employees should feel invested in company guidelines.

To meet these duties boards should attack the issue on several fronts using different tools:

  • People
  • Risk transfer
  • Technology

An opportunity

If an organization is proactive after a cyberattack occurs, an opportunity arises. Board members are presented with new information about what worked and didn’t in a cyberattack prevention plan. And they’re given the chance to strengthen their organization’s risk culture, consider new preventive technology that could reduce privacy breaches and business interruption risks and invest employees in the short- and long-term wellbeing of the company.

Such a “reboot” can treat any immediate loss to capital and reputation as an investment in the future with a measurable ROI that periodically evaluates performance against direct, company-specific and more general global cyber threats. The long-term viability of an organization isn’t bound to the vagaries of short-term misfortunes such as a cyber breach, but rather by the resiliency it exhibits when faced with adversity.

About Joe DePaul

Joe DePaul is the National Cyber/E&O Practice Leader, North America, at Willis Towers Watson.…
Categories: Cyber Risk, Insurance and Risk Management, Risk Culture | Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *