Communicating Cybersecurity to the Board

By Thomas Hamata

Cybersecurity is quickly becoming an area of focus for many audit committees and boards today.

We are seeing large-scale innovation and automation creating both opportunities and risks against the backdrop of an ever-evolving cyber threat landscape and a critical shortage of cybersecurity skills. Naturally, this has made cybersecurity a hot topic for those leading and governing organisations in this age.

According to InterPol’s 2021 African Cyber threat Assessment Report, cybercrime reduced African GDP by more than 10%, at an estimated cost of US$4.12 billion (N$70.6 billion). The cyberattacks assessed were primarily targeted to (and suffered by) government institutions, critical national infrastructure and small to medium-sized enterprises.

A cyberattack can cripple business operations, cost millions to recover from and result in directors’ personal liability. The need for boards to understand their responsibility in governing this area has never been more pressing.

However, with the average board director not necessarily being tech-savvy, how does an organisation present cybersecurity risk to its board in a way that allows a director to provide effective oversight over it?

Given the relative newness of this evolving risk on many board’s agendas, an important topic to initially cover with a board is their responsibility over the governance of the organisation’s cybersecurity programme.

It is also important to remember that corporate executives and directors are the typical victims of cybercrime such as business email compromise (BEC) or cyber-based corporate espionage. Directors must be aware of the threats targeted to them, and by extension the organisations they lead. Training them how to identify and respond to common targeted cybercrime is non-negotiable.

Locally, there is no formal guidance on a board’s responsibility over cyber risk in governance standards such as the NamCode, which has not caught up to recent shifts in the world of commerce. Boards are nonetheless ultimately accountable for the effectiveness of the risk management programs of the organisations they govern, and cyber risk is an inherent part of any such programme. The USA National Association of Corporate Directors’ Handbook on Cyber Risk Oversight is a good authority in this niche area.

Aside from knowing their responsibilities and threats to themselves, what any board member ultimately wants is an answer to each of these three questions:

  1. a) What is happening in the industry in terms of cybersecurity? – Who in the industry has been affected by a cyber-attack? What statistics do we have? How is our industry particularly vulnerable? What cybersecurity-related regulations have or are being issued, and are we compliant to these?

  2. b) What are we doing to manage the risk? – How are we making sure what has happened/is happening to others in the industry does not happen to us? What controls do we have in place to guard against cyberattacks?

  3. c) Are we getting better at managing the risk? – How are we measuring our cyber resilience effectiveness/maturity? Is our cyber resilience capability getting better? What benchmarks can we compare ourselves against?

In answering these questions, it is important to select and present key cyber risk and programme performance metrics aligned to the organisation’s strategy and situational context. Holistically, these indicators should provide the board insight into the maturity of the organisation’s cybersecurity programme. Because not all board members will necessarily be technical cybersecurity experts, it is even more so important to present these metrics to them in languages they already know: programme maturity ratings, risk heat-maps and cost.

A board’s understanding of cybersecurity should be strong enough to provide effective oversight over a company’s cybersecurity programme, and to provide its directors confidence that the organisation can effectively respond to a materially significant cyber breach. This will allow them to continue to effectively discharge their fiduciary duty of due care, as they steer the organisations they lead to success.

Previous
Previous

On ChatGPT and Generative AI: Is Your Job Safe?

Next
Next

Three Risk Trends Corporate Boards Should Look Out For in 2023