Sharing Insights Is The Best Way To Improve Governance Around Cyber Risk
Few boardroom directors have "grown up digital" and there is a real sense of 'the blind leading the blind' when it comes to cyber security and boardrooms, regardless of their geography. It calls for far more active sharing of experiences and insights among businesses to move towards a winning situation for all stakeholders.
A report just out from WomenCorporateDirectors (WCD) in the United States and Marsh & McLennan's Global Risk Centre is based on interviews with WCD corporate directors aiming to identify how companies are addressing cyber threats and the use of cyber insurance.
It says that as the global regulatory landscape becomes more complex, cyber security is gaining increased board level attention.
Over a third of directors of US public companies now discuss cybersecurity at every board meeting, according to the report. "Cyber risks are being driven onto the agenda by high- profile data breaches , distributed denial of services (DDoS) attacks, and rising ransomware and cyber extortion attacks" it says.
"The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15 % of that loss is currently covered by insurance" says the report.
“Boards are definitely stepping up their oversight” says Elisabeth Case, US Cyber Advisory Leader at Marsh, a subsidiary of Marsh & McLennan.
Well, one would hope so. But the report also finds that directors are still challenged by multiple factors that they believe put their companies at greater risk.
Not only are director-level experts thin on the ground, it says, but most boards have only one director serving as the tech or cyber expert; few directors grew up in the digital age, and they now increasingly have to play catch-up to the sophisticated technology used in attacks.
There is a lack of bench-marking on security practices, says the report - and companies are unclear on how they stack up against their peers, leaving a lot of unanswered questions about best practices, business models, and geographies. There are also unknown risks around third-party providers : a third organisations surveyed do not assess cyber risk of their suppliers and vendors, "leaving mission-critical data exposed and beyond the company’s control" it says.
Because management often paints a rosier picture than reality, directors are often left in the in the dark about risks, which renders them "unable to sufficiently support risk mitigation efforts" it says.
One obvious answer to these findings is for businesses across sectors to collaborate on real-time experience, with confidentiality. Even in immediate hindsight such intelligence could be incredibly valuable.
“Cyber risk is just one of the areas in which boards have to ‘see around corners’ to anticipate what is coming next as far as threats and opportunities for their companies. With the increasingly complex nature of the risks ahead, sharing our best practices and hard-won experiences and insights is the best way to improve governance around these incredibly challenging areas” says Susan Keating, CEO of WCD.
You could say it's a very female approach to a problem.
There is also an acute need for collaboration for a very practical reason - the soaring cost of cyber insurance cover, "one of the fastest growing parts of the global insurance industry" as this piece in the Financial Times explores.
Booming demand for such cover has been met with "a mixture of delight and fear in the insurance world." says the FT. "Delight because cyber offers the potential for growth, unlike most other parts of the global specialist insurance industry where demand has been static for years. And fear because cyber insurance is so difficult to price. Like many of their clients, the insurers are struggling to assess the causes and consequences of large-scale cyber attacks, and to predict where the next one might come from or how big it will be."
We are learning every day how best to use technology for self-defined purposes, rather than be simply swept away with its potential. There are many possibilities for its use by HR departments, for example, around a better understanding of employee potential and progression throughout the business, regardless of gender, ethnicity or race.
In a digital world, the 'blind leading the blind' just does not have the same sense of futility as intended to be conveyed by the original idiom. While we can clearly be empowered as well as felled by technology, it's the human collaboration that will shape what we do with it. Such collaboration could lead to anonymised data pulled together for valuable mutual insights.
In order to increase board awareness of company risk, the report provides “10 Questions to Ask Management about Your Organization’s Cyber Readiness.” They include:
- Where do we rank in cyber preparedness compared to relevant peers, and how frequently does management perform cyber scenario testing/war games?
- How do we benchmark our performance?
- Which managers across the organization have accountabilities for cyber risks within IT, business lines, and other operational areas?
- What are the limits of liability of cyber insurance that we have available, and how can we determine if coverage is sufficient?