Cybersecurity came to the forefront of critical concerns when companies had to shift to remote working at the height of the pandemic. Businesses continued to accelerate their transformation to address disruption, but many did not consider cybersecurity as part of the decision-making process — likely due to business urgency or oversight. As a result, as much as 73% of Asia-Pacific businesses saw an increase in disruptive attacks, according to the EY Global Security Survey 2021 (GISS), with new vulnerabilities entering the rapidly evolving business environment.
The industrialization of cyberattacks led to an increase in their volume and severity, but Chief Information Security Officers (CISOs) are faced with challenges that inhibit the cybersecurity function. These include inadequate budgets, which can be seen in the cyber spend of Asia-Pacific businesses totaling only 0.05% of their annual revenue, according to the GISS. This cost-cutting has severe implications, as the GISS reveals that 41% of businesses in the APAC region expect major breaches that could be anticipated and averted with better investment. There is also a lack of preparedness due to the limited visibility of cyber risk within an organization, coupled with outdated or disparate regulations.
The GISS further shows that CISOs demonstrate a lack of confidence when faced with threat actors. Cybersecurity strikes a fine balance between usability, security and cost, but it is only possible if the board is proactively testing and challenging the existing status quo.
BOARD RESPONSIBILITIES TOWARDS CYBERSECURITYBoard members must review the company organizational structure to ensure that the cyber security function is adequately represented, and should promote systemic resilience and collaboration to account for risks stemming from broader industry connections. They should encourage a continuous analysis of comparative metrics, such that industry-accepted cyber frameworks guide data driven decisions, aligning risk appetite with organizational goals and strategy. It is imperative to understand tomorrow’s cyber threats today by proactively investigating emerging threats.
Board directors will have to identify their business-critical systems and data, and how their criticality is assessed. They are responsible for key business risks per local applicable Corporations law requirements. In some jurisdictions such as Oceania, directors are now required to take all reasonable steps to be in a position to “monitor and guide” the company and have information made available to them to exercise their responsibilities.
The board must also determine how effective the controls protecting their critical systems and data are, and how often these are tested. In addition, they have to be aware of how their current data privacy and data retention policies align with government and industry regulations, and how third-party suppliers are protecting the company systems and data. Moreover, cyber investments must be focused on mitigating the risk scenarios that the company would be most exposed to. In case of a cyber incident, there has to be an organization-wide response plan capable of addressing it, where employees understand their roles in managing the crisis.
It is the responsibility of directors to consider proactive management of the risks associated with critical assets and data to maintain market and consumer trust, as well as adhering to legislative obligations or best practice expectations to secure personal information.
Thus, it is important to hear from external sources, not just management, about the potential threats and the independent assessed level of controls currently in place. While management can provide updates on the status of the company’s cybersecurity programs, an independent party can help the board gain assurance that the programs are adequate with respect to the existing cyber threats that the company is facing.
CYBERSECURITY INSIGHTS FOR BOARDS TO CONSIDERAccording to the EY Global Risk Survey (2020), boards stay updated through external advisors or industry analysts (40%), interactions with or data on peer companies (32%), and through management briefings (20%). Almost half of the surveyed respondents consider unfavorable economic conditions, cyber incidents and the pace of technology change to be their top risks.
In light of this, there are several insights gleaned through director dialogues held through the survey. One is to set the cultural tone — boards must demonstrate that cybersecurity and privacy risk are critical business issues by increasing the board and/or committee’s time and effort spent discussing the topic. They must also stay updated by increasing the frequency of board and/or committee updates on specific actions to address new cybersecurity and privacy issues and threats.
Moreover, boards must understand the necessary protocols. They have to obtain a thorough understanding of the cybersecurity incident and breach escalation process and protocols, including a defined communication plan for when the board should be notified. By understanding the processes of management to identify, assess and manage the risk associated with service providers and supply chains, they can better manage third party risk. Boards also have to test response and recovery by enhancing enterprise resilience and having the company’s ability to respond and recover tested through simulations and arranging protocols with third-party professionals before a crisis. Lastly, boards must monitor evolving practices. They should stay attuned to evolving board and committee cybersecurity oversight practices and disclosures, including benchmarking against peer disclosures for the last two to three years.
SUCCESSFUL AND SECURE TRANSFORMATIONBoards must have a clear understanding of the company’s cybersecurity program and how they are effectively implemented to address immediate and near-term cyber threats. Fortifying cyber resilience requires boards to act decisively as major pressures threaten the ability of cybersecurity to effectively address potential risks. They must play an active role in bringing cybersecurity to the rest of the business. By taking more time to discuss cybersecurity risks, the board can send a clear message that the cybersecurity function is a strategic business partner, and that the risks involved are critical business issues. Not only will this help the cybersecurity function work more effectively with the business, but it will also help the function execute transformation programs that are successful and cyber secure.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.
Warren R. Bituin is the Technology Consulting Leader of SGV & Co.