The Institute's view
23 March 2020
Andy Watkin-Child CSyP MSyI explains why cyber security is the elephant in the boardroom
Cyber security and cyber risk management have evolved considerably over the past 15 years and cyber is without a doubt a problem for all companies and the public sector. Whether it be countries hacking countries, data breaches as a result of data theft, or states, governments and companies being held to ransom. Conservative estimates identify the annual cost of cybercrime worldwide to be at least US$1 trillion. If cybercrime were a country, it is estimated that it would have the 13th highest GDP in the world.
The financial impact of cyber-attacks to the corporate top and bottom line is significant, with the NotPetya attack of 2017 (one of the most devastating cyber-attacks in history) demonstrating that cyber-attacks can have a global reach. It touched a range of businesses from shipping and manufacturers to pharmaceuticals, fast-moving consumer goods (FMCG) and the public sector, notably the NHS.
The list of companies and public sector organisations that have suffered from cyber-attacks is growing. The UK ICO has issued intentions to fine British Airways (£183 million) and Marriott Hotels (£99 million) for their data breaches in 2018. In all cases, actions that not only impacted them directly financially, but also cause longer-term reputational damage.
Skills and knowledge gap
In response to the cyber threat, the regulatory environment is adapting. Regulations and programmes like EU GDPR, EU NIS, CCPA, NYDFS, SEC, US DoD and the development of the UK Government's Cyber Security Council have either been implemented or are being developed. On top of this there is a skills shortage in cyber security. A conservative estimate places the global cyber skills shortfall between 1 - 2 million full-time equivalent (FTE) positions.
With this backdrop, it is apparent that company boards need to be able confidently to assess cyber risk with the same, if not more, rigour than other risks they analyse and manage. However, recent research shows this is not always the case. While boards may understand that cyber risk is something that they should be aware of, very few have the knowledge, ability and experience to be able to adequately understand the potential risks.
In the US, the regulatory direction of travel is that boards of listed firms may have to have someone nominated on the board with cyber security experience to provide adequate oversight. There is also a robust debate taking place between regulators across various discipline on the role boards play in the management and oversight of material risks such as cyber and the liabilities which they may face. The big question is how such risks can be evaluated and how boards can become comfortable that they have the knowledge to be confident that cyber risks are being properly assessed.
Focus on cyber security
The board needs to be spending, in most cases, significantly more time on the areas of cyber and cyber security, especially given the significant liabilities which can be attached to a data breach, and the potential damage to a company’s financial statements and its reputation. The consequences of inadequate cyber security are potentially huge, but because it is difficult for most boards to discuss in detail, it is less often discussed.
Over the past few years, we have seen an increasing number of non-executive directors brought in to help boards “understand how to do business in a digital environment”. However, just understanding the digital world does not necessarily mean the same thing as being able to help companies assess the digital risk.
Non-executive directors must understand what is the critical data and ensure that data is secure not only within their own ecosystem but that those people who have access to their systems are themselves secure. There is growing concern that a significant proportion of cyber-attacks are instigated through third parties rather than attacking the end user directly. Consequently, the US Department of Defence has implemented a Cyber assessment programme (CMMC) to address cyber risks within its sizeable supply chain.
Cyber is an enterprise-wide risk, which impacts all aspects of corporate operations. Whilst there is some way to go before the chief information security officer sits at the board table, there is clearly a need for cyber security expertise to be at the table to provide advice, challenge and oversight on board decisions.
 Marsh’s Global Cyber Risk Perception Survey Report 2019 (Cyber perception survey)
Andy Watkin-Child CSyP MSyI is a thought leader in cyber risk management and a prolific cyber security researcher. In January 2020, Andy was co-opted on to the Security Institute’s Board of Directors, accepting the portfolio of director of standards. Andy will formally stand for election at the Institute’s AGM on 21st April.