Opinion Feature
17
See more like this online at www.fsmatters.com
The Institute's view
Andy Watkin-Child CSyP MSyI explains why cyber
security is the elephant in the boardroom
Cyber security and cyber risk
management have evolved considerably
over the past 15 years and cyber is
without a doubt a problem for all
companies and the public sector.
Whether it be countries hacking
countries, data breaches as a result of
data theft, or states, governments and
companies being held to ransom.
Conservative estimates identify the
annual cost of cybercrime worldwide to
be at least US$1 trillion. If cybercrime
were a country, it is estimated that it
would have the 13th highest GDP in the
world.
The financial impact of cyber-attacks
to the corporate top and bottom line is
significant, with the NotPetya attack of
2017 (one of the most devastating cyber-attacks
in history) demonstrating that
cyber-attacks can have a global reach. It
touched a range of businesses from
shipping and manufacturers to
pharmaceuticals, fast-moving consumer
goods (FMCG) and the public sector,
notably the NHS.
The list of companies and public
sector organisations that have suffered
from cyber-attacks is growing. The UK
ICO has issued intentions to fine British
Airways (£183 million) and Marriott
Hotels (£99 million) for their data
breaches in 2018. In all cases, actions
that not only impacted them directly
financially, but also cause longer-term
reputational damage.
Skills and knowledge gap
In response to the cyber threat, the
regulatory environment is adapting.
Regulations and programmes like EU
GDPR, EU NIS, CCPA, NYDFS, SEC,
US DoD and the development of the UK
Government’s Cyber Security Council
have either been implemented or are
being developed. On top of this there is
a skills shortage in cyber security. A
conservative estimate places the global
cyber skills shortfall between 1 - 2
million full-time equivalent (FTE)
positions.
With this backdrop, it is apparent that
company boards need to be able
confidently to assess cyber risk with the
same, if not more, rigour than other
risks they analyse and manage. However,
recent research1 shows this is not
always the case. While boards may
understand that cyber risk is something
that they should be aware of, very few
have the knowledge, ability and
experience to be able to adequately
understand the potential risks.
In the US, the regulatory direction of
travel is that boards of listed firms may
have to have someone nominated on the
board with cyber security experience to
provide adequate oversight2. There is
also a robust debate taking place
between regulators across various
disciplines on the role boards play in the
management and oversight of material
risks such as cyber and the liabilities
which they may face. The big question is
how such risks can be evaluated and
how boards can become comfortable
that they have the knowledge to be
confident that cyber risks are being
properly assessed.
Focus on cyber security
The board needs to be spending, in
most cases, significantly more time on
the areas of cyber and cyber security,
especially given the significant liabilities
which can be attached to a data breach,
and the potential damage to a company’s
financial statements and its reputation.
The consequences of inadequate cyber
security are potentially huge, but
because it is difficult for most boards to
discuss in detail, it is less often
discussed.
Over the past few years, we have seen
an increasing number of non-executive
directors brought in to help boards
“understand how to do business in a
digital environment”. However, this does
not necessarily mean the same thing as
being able to help companies assess the
digital risk.
Non-executive directors must
understand what is the critical data and
ensure that data is secure not only
within their own ecosystem but that
those people who have access to their
systems are themselves secure. There is
growing concern that a significant
proportion of cyber-attacks are
instigated through third parties rather
than attacking the end user directly.
Consequently, the US Department of
Defence has implemented a Cyber
assessment programme (CMMC) to
address cyber risks within its sizeable
supply chain.
Cyber is an enterprise-wide risk,
which impacts all aspects of corporate
operations. Whilst there is some way to
go before the chief information security
officer sits at the board table, there is
clearly a need for cyber security
expertise to be at the table to provide
advice, challenge and oversight on board
decisions.
1 Marsh’s Global Cyber Risk Perception
Survey Report 2019 (Cyber perception
survey)
2 (forbes.com).
Andy Watkin-Child CSyP MSyI is a
thought leader in cyber risk
management and a prolific cyber
security researcher. In January 2020,
Andy was co-opted on to the Security
Institute’s Board of Directors,
accepting the portfolio of director of
standards. Andy will formally stand
for election at the Institute’s AGM on
21st April.
https://security-institute.org
For more information:
Tel: 0044 2476346464
/www.fsmatters.com
/security-institute.org