The Buck Stops Here: Cyber Risk Accountability Moves to the Boardroom
Technology innovation in our connected world has created countless long-lasting benefits, particularly over the past five years. However, these benefits may come with unintended risks. The threat of a crippling ransomware attack and its impact on businesses and critical infrastructure has become all too real. Although these expanding cybersecurity risks encompass many disciplines within an organisation, the potential impact of an attack has now shifted accountability to the boardroom. This has become an uncomfortable truth for non-executive directors and board members alike.
Cybersecurity Governance
As cybersecurity governance increasingly becomes the responsibility of the board, directors are now in the crosshairs to ensure their firm has effective defenses in place against cyberattacks. This is a significant shift in governance as operations were traditionally left to the leadership team. Government agencies worldwide have also been penning regulations outlining new requirements for executives, the board, and independent directors alike, increasing their responsibility and personal liability. This includes the UK Government, consulting in early 2024 on a Cyber Governance Code of Practice and principles.
Despite these actions, the level of cyber expertise at the board level has been slow to develop. According to a recent Night Dragon Diligent Report, only 12% of companies have at least one current or former “cyber expert” on the board in the US1. Even more surprising, according to the latest statistics from the UK Department for Science, Innovation and Technology, board members responsible for cybersecurity in the UK peaked in 2021 at 38%, but has since declined to 30 percent2.
The Council of the European Union and the European Parliament formally adopted the Digital Operational Resiliency Act (DORA) in November of 2022. This law places financial entities and third-party ICT service providers on notice to comply with DORA enforcement date of 17 January 20253.
Cyber Risk Management
The following are some important elements of cyber risk management for DORA:
- Understanding Cyber Risks: Directors must have a fundamental understanding of cyber risks, including the types of threats that organisations face, such as data breaches, ransomware attacks, insider threats, and other common vulnerabilities and exposures (CVEs).
- Legal and Regulatory Compliance: Directors should be aware of relevant, current, and pending laws and regulations related to cybersecurity, including any industry-specific regulations for their company(s). They need to ensure that the organisation complies with these requirements.
- Risk Management Framework: Familiarity with established cybersecurity frameworks such as NIST Cybersecurity Framework, ISO 27001, or CIS Controls can help directors evaluate the organisation’s cybersecurity posture and identify areas for improvement.
- Cybersecurity Investments: Directors need to evaluate cybersecurity investments and ensure that adequate resources are allocated to mitigate cyber risks effectively. This includes investments in cyber security technology, vendor management, training, and hiring skilled personnel.
- Cyber Insurance: Directors should assess the organisation’s cyber insurance coverage to determine if it adequately protects against potential financial losses resulting from cyber incidents and protects them personally from cyber related litigation.
- Third-Party Risk Management: Directors need to understand the risks associated with third-party vendors and partners. They should ensure that the organisation has appropriate vendor management processes in place to assess and mitigate these risks.
- Continuous Monitoring and Reporting: Directors should receive regular updates on cybersecurity metrics, incidents, and trends. They should also monitor key performance indicators (KPIs) to assess the organisation’s cybersecurity posture over time.
DORA is important legislation, but it does contain some vague language making compliance a challenge. EU directors and NEDs can benefit from the early stages of compliance from the new Securities & Exchange Commission (SEC) law in the US. As an example, the SEC chose not to define the word “material” which determines what to report in the event of a cyberattack.4 This undefined term has given companies some wiggle room in what, how, and when they comply with the regulation, not to mention giving plaintiff attorneys more ammunition in litigation. Any undefined term in any legislation, including DORA, can increase the uncertainty of how to comply with these new laws.
DORA goes a long way in putting a proper cybersecurity framework in place for many organisations that may be a little late to the game. Ultimately, being compliant does not assure the cyber hygiene nor security of any organisation, and often takes away needed resources and funding from cybersecurity investments to thwart an attack to begin with.
Cyber Attacks on the Rise
Around the world, substantial gains have been made with most organisations to increase cyber resiliency and security, yet attacks continue to increase unabated. The question is why? Here are a few possible reasons:
- Attackers have a distinct advantage.
- They are solely focused on disruption, deploying malware, and obtaining a large ROI on ransomware attacks. They are not bothered by the usual corporate distractions, including worrying about competitive market forces.
- Bad actors continue to reinvest in new, more complex attacks. Ransomware demands continue to increase, leading to larger payments. Unlike most companies, cybercriminals have extremely low overhead and full authority to reinvest these stolen funds.
- Long gone are the days of random individuals with hacking skills dabbling in techno- mischief. The cybercriminals of today run very sophisticated businesses, complex network infrastructures, and are savvy at negotiating ransomware demands. They also know where to exfiltrate the most valuable data to sell on the black market.
- State Funded and State Sponsored Cybercriminals. Intelligence agencies around the world track the growing threat from these determined cyber terrorists. Certain countries focus on critical infrastructure targets and are looking to create far greater damage than a financial payout.
- Company Cyber Security Defenses are Years Behind. Companies have fallen behind in their defensive posture when compared to bad actors in the game. Competing interests for resources, allocation of tight budgets, as well as the vast array of cyber solution providers, has their defense posture well behind the capabilities of sophisticated attackers.
With a growing call for accountability measurements from regulatory bodies and various stakeholders, the board’s risk management focus should move from strategies to repair damage, to also include strategies and viable solutions to prevent occurrences of cyber-attacks. The exploits deployed by cybercriminals today will pale in comparison to the quantum and supercomputing powered hacks of the future. Time is of the essence to adopt pre-emptive cybersecurity that defeats damage, even from unknown attack vectors. Boards must accept the new cyber reality that a cyberattack on their organization is not a matter of “if” but “when”, and that reality may come sooner than later.
Written by Cyemptive Technologies, provider of military grade cyber security to eliminate threats before they infiltrate your systems. Command your security with pre-emptive, award-winning technology.
For more about Cyemptive Technologies, visit: https://www.cyemptive.com/
Sources:
- https://www.nightdragon.com/wp-content/uploads/State-of-Cyber-Awareness-in-the-Board-Room-Report.pdf
- https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023
- https://www.dora-info.eu/dora/article-3/
- https://www.wsj.com/articles/materiality-definition-seen-as-tough-task-in-new-sec-cyber-rules-314b4626
Related resources:
Unveiling the Cyber Governance Code of Practice
Digital transformation: navigating the risks of cybersecurity
The interplay of AI, cyber and climate in the boardroom
To develop further your tech and digital skills, as a non-executive director, we invite you to consider our Tech for non-tech directors certificate.