A new study released by the World Economic Forum (WEF) highlights the need for boards of directors to play a more active role in protecting their organisation from cyber risks.
Cybersecurity failure is a threat, yet responses from board directors have been fragmented, risks not fully understood and collaboration between industries limited, a release stated.
The Principle for Board Governance of Cyber Risk Report highlights that cyber risk remains among the top risks facing business organisations today, noting that the WEF’s Global Risk Report 2021 lists cybersecurity failure as a top “clear and present danger” and critical global threat.
“As with any major enterprise issue, it is important for the board of directors and leadership to set the tone at the top and define how their organisations must address cybersecurity,” states the report.
The report is designed for corporate directors to reference and follow as they set cybersecurity strategy and engage with stakeholders from across their business and their sector on the issue of cyber risk. “In exercising the board’s oversight function, we recognise that the best action for the board is to demand, review and analyse management’s plans for cyber risks.”
Created by the WEF, the National Association of Corporate Directors (NACD), the Internet Security Alliance (ISA) and PwC, the report is the result of a year-long collaboration to find a cohesive, global and cross-border approach to cyber risk.
“These organisations came together to build a set of consensus principles that recognised up-to-date techniques for cyber risk governance. Building off existing guidance and through an iterative development process, the group developed six consensus principles for cybersecurity board governance.”
The six consensus principles are designed to support board oversight of a cyber-resilient organisation while driving strategic goals.
One principle is ‘Cybersecurity is a strategic business enabler’, under which the study highlights that cybersecurity is more than just an IT issue.
“Cyber threats are persistent, strategic enterprise risks for all organisations regardless of the industry in which they operate. Effective organisational cybersecurity directly contributes to both value preservation and new opportunities to create value for the enterprise and larger society.
“Navigating this risk requires a culture of cybersecurity with leadership commitment to, and modelling of, good cybersecurity decision-making,” said the report.
The second principle is ‘Understand the economic drivers and impact of cyber risk’, where the report states that enterprise decision-making requires analysis of the economics of cyber risk.
“Many business initiatives that drive profitability can also increase cyber risk. For organisations to make effective business decisions, risk determinations should focus on the financial impact to the organisation, including trade-offs between digital transformation and cyber risk. By using scenario planning, leaders in the organisation can consider potential gains and losses relative to other business priorities and obligations. Leaders should also measure cyber risk against strategic objectives, regulatory and statutory requirements, business outcomes and cost of acceptance, mitigation or transfer.”
Third is ‘Align cyber-risk management with business needs’. It was shared that boards should understand and assess how to effectively manage cyber risks in the pursuit of
“By focussing on how to treat cyber risks, organisations can build a security profile that aligns with business needs and defined risk tolerances or risk appetite. Effective governance of any enterprise requires clear alignment between cyber risk management and business objectives across every facet of decision-making, including mergers and acquisitions, business transformation, innovation, digitalisation, pricing, product development and market expansion.”
Another principle is to ‘Ensure organisational design supports cybersecurity’, highlighting that organisational structure should integrate and support security and strategic goals.
“Organisations should design an internal governance structure that addresses cybersecurity on an enterprise-wide basis. This includes defining clear ownership, authority and key performance indicators (KPIs) among all internal stakeholders for critical risk management and reporting responsibilities. It also demands the integration of cybersecurity practices into how the business operates and makes decisions.”
A fifth principle is ‘Incorporate cybersecurity expertise into board governance’, where it is noted that boards need diverse sources of cybersecurity expertise.
“Boards must avail themselves of external industry and other guidance as well as the cybersecurity expertise of fellow directors, third parties and internal resources to effectively oversee the organisation’s cybersecurity within an appropriate structure focussed on oversight. In light of the rapidly changing cyber landscape, board directors themselves must continually seek to expand their own knowledge of this topic.”
The final principle is ‘Encourage systemic resilience and collaboration’, where the report highlights that effective cyber risk strategy includes improving the cyber resilience of industries and sectors.
“The highly interconnected nature of modern organisations means we run the risk of failures that spread beyond one enterprise to affect entire industries, sectors and economies. It is no longer sufficient just to ensure the cybersecurity of your own enterprise; rather, cyber resilience demands that organisations work in concert.
Recognising that only collective action and partnership can meet the systemic cyber risk challenge effectively, senior strategic leaders must encourage collaboration across their industry and with public and private stakeholders to ensure that each entity supports the overall resilience of the interconnected whole.”
The report concludes that board directors should adopt these consensus principles to form the basis of an effective cyber risk governance regime.
“The board needs to understand cyber risk, and its role in governing this threat, to perform its oversight function effectively. It continues to be important for members of the board of directors and industry professionals to increase their knowledge of how to address cybersecurity within their organisations.”
It also notes that, as part of this body of work, the WEF, NACD and ISA will continue their shared efforts to enhance boards’ ability to incorporate cyber risk planning into overall company strategy.