By Jonathan Gray
PANAMA CITY – The cyber threat posed to corporations needs little explanation these days. The potential impact of an attack is so great as to threaten the very existence of some businesses and to cause severe losses to others. Had Sony or Saudi Aramco been retailers with average cash reserves, the loss of their entire networks as the result of attacks might have proven existential given the length and depth of their cyber crises. The data losses suffered by Target, TJX Companies and Heartland were significant enough, but to add insult to injury, the remaining directors of these companies and others are now subject to shareholder derivative and securities lawsuits—This despite being victims of a crime. For most corporations, it is generally understood that this is no longer an exotic risk buried in the detail of risk register to be left to the IT Department. Rather it is a very significant challenge of direct concern to the board.
And yet managing this problem, which adds nothing to the top line, looms as a major and difficult to estimate new cost of doing business. Hardly the stuff that traditionally makes an ambitious CEO salivate. Indeed many “baby boomer” CEOs privately concede that they find the whole matter at best complex and at worse incomprehensible. And with PWC estimating in 2015 that US corporations are facing annually around 43 million attacks – yes, some 117,800 a day – this issue can seem bewildering. Indeed such statistics can be unhelpful in that they can paralyze boards into anxiety-induced inaction. As one CEO commented “the problem is so massive, where do we start?” A 2015 study by the National Association of Corporate Directors found that only 11% of respondents believed that their boards possessed a high-level understanding of the risks associated with cyber security.
When many CEOs and executives are so clearly misaligned in their management of key risks that threaten the value, reputation and profitability of a corporation, alarm bells should be ringing. Happily, a solution is wired into the governance structure of virtually all public corporations.
The primary role of non-executive directors (NEDs) on a company’s board is to select a CEO and to then hold the CEO accountable for the management of the company. As we’ve been advising our clients, when it comes to cyber security, it is time for NEDs to get involved. Non-executive chairs/presidents should now consider appointing a NED who, inter alia, understands corporate security and can value and balance the Board’s consideration of the matter. Further, this NED should also serve on the Audit Committee and should insist on an annual external review of corporate security (not just cyber) to ensure that the company is managing these complex and inter-related risks in an appropriate and dynamic manner, and holding CSOs and CISOs to account.
Control Risks is not alone in making these and other key observations in our rapidly growing global cyber consulting business. Some CEOs are fully invested in managing this problem; indeed we have seen such leaders being appointed as NEDs to other corporations to help drive change. And yet in our experience corporate preparedness remains wanting, with only limited exceptions. Ideally cyber risk-savvy NEDs can help CEOs to ask the right questions and ensure that they give appropriate strategic direction on a proportionate, risk-based approach that is informed, but not driven, by standards and technological considerations. However, NEDs are now well advised to get tough with executives unwilling or incapable of implementing well developed and resilient cyber risk management programs. In so doing they will also protect the board from claims that they failed to discharge their fiduciary duties. Indeed being seen to understand and manage these all-too-pervasive challenges can only enhance the value of the individual NED and the board as a whole.
Jonny Gray is a Senior Managing Director with Control Risks, the world’s leading political, integrity, and security risk consultancy.
This article was written by Control Risks from Forbes and was legally licensed through the NewsCred publisher network.