Needed: A Sense Of Urgency In UK Boardrooms On Cyber Security
You can just about smell the fear when it comes to the subject of cyber security and FTSE350 boardrooms. It isn't just about not knowing what to do about it, it's about being seen as not knowing - or even worse, having to admit it. Not only is this very British, it's almost certainly likely to be compounded by the fact that the average inhabitant of these boardrooms is white, male and probably aged around 57.
Over the last four years I have written extensively about the danger of ostriches in the boardroom on Forbes online. There have also been a plethora of demonstrations of the magnitude of the cyber security challenge across the globe, and the damage data breaches can cause - to individuals, to businesses, and to reputations. Those who profess to know, claim that cyber security is at the very top of the UK boardroom's agenda.
When the UK government launched its cyber security strategy to 2021 last November, it pledged to make Britain one of the safest places in the world to do business. It also encouraged industry to "up its game" to prevent damaging cyber attacks. Since then the Confederation of British Industry (CBI) has launched a massive awareness campaign and recently held a conference on cyber security, and there have been many other initiatives for businesses to tap into.
But when it comes to UK corporate governance, famously defined as the "very essence of a business", cyber security does not seem to have to stand up and be counted to earn that UK badge of best practice for potential investors.
Back in 2014 the UK government did release guidance on the questions non-executive directors should be asking on cyber security. But is anyone asking them ?
Certainly , the National Audit Office (NAO) , which seems to be increasingly challenging and outspoken in response to domestic events, appears to be extremely frustrated with the state of play when it comes to cyber security and FTSE350 boardrooms.
In August this year it launched its own 'Cyber security and information risk guidance for Audit Committees.' And it said: "Audit committees should be scrutinising cyber security arrangements. To aid them, this guidance complements government advice by setting out high-level questions and issues for audit committees to consider."
That is a good example of 'spelling it out' for FTSE350 boardrooms. Helpfully, the NAO has also since then published a short guide to regulation. Should any boardroom directors be reading this, they might also want to look at this piece via Nasdaq on the board's role in cyber security.
In good timing for the relaunch of Board Talk after a long summer lull, October turns out to be Cyber Security Awareness Month.
It is the EU's annual awareness campaign, following the example set by the United States. Less than a year ago, Sarah Bloom Raskin, Deputy Treasury Secretary in the US, told the Financial Times that most of then recent cyber attacks on the financial system could have been avoided relatively easily if the private sector and government institutions had taken basic security precautions.
If anyone needs reminding, UK companies will soon be forced to improve data security in response to the EU’s General Data Protection Regulation (GDPR). My inbox is flooding over with professional services firms willing to help.
The rules , which require businesses to identify and report attacks within 72 hours, come into effect next May and will still be integrated into UK law after Brexit. Only 6% of the FTSE350 companies polled by the UK government in August this year said they were fully prepared for GDPR.
Folklore says (wrongly, I believe) that a leopard cannot change its spots...I have no idea regarding ostriches, analogies and mind-sets.
But it is very clear that UK corporate governance standards need to be updated for this critical cyber security threat in a digital world - because it is the only way, it seems, that business is going to take it seriously.
Companies will, of course, be in very different places along the curve towards digital transformation. But they might want to note this, from BDO on CFOs being the custodians of cyber security.
"Finance Directors’ specific experience adds great value to an organisation’s cyber security strategy. They approach cyber security from a holistic business angle, integrating risk management, ERP, compliance, reporting, valuation and business continuity" it says.
“We are witnessing a budding crisis in the implementation of cyber security information governance, risk management and compliance (iGRC) requirements and organisations are facing ever more stringent cyber security regulations: it is not surprising that many of them feel overwhelmed. The recruiting, staffing, training and retention of cyber security talent is a significant challenge for nearly all companies – and the global shortage of experienced cyber security professionals is expected to increase over the next three to five years. It is vital that finance, risk and compliance management professionals in public and private organisations - in particular SMEs - step up and take ownership of the growing financial responsibilities in cyber security" said Gregory Garrett, Head of International Cyber Security at BDO.
Does it ring any bells if you think of what the NAO is saying ? There is literally no excuse for FTSE350 boardrooms not to crack on - even if it means (and to some this might scream 'perish the thought') re-thinking some recruitment practices when it comes to the boardroom.