Cyber risk and security
Some ongoing corporate governance concerns
It has been a while since I contributed to OUP’s corporate governance blog, which I share with Professor Chris Mallin. So I thought that, rather than focusing on a single theme, I would comment on issues that are currently concerning directors and their professional advisers around the world.
In particular I will address shareholder communication, shareholder engagement, executive compensation, cyber security, and the challenges of cronyism and corruption.
Cyber risk and security
It is now widely recognized that strategies for identifying corporate vulnerabilities and managing risk are part of the corporate governance responsibility of every board. Although some boards could usefully spend more time assessing the potential of strategic risks faced throughout their group. (BP’s Deepwater Horizon oil rig disaster and the Fukushima Daiichi power station disaster for Tokyo Electric Power come to mind). An interesting idea adopted by a few boards is the creation of ‘play-books,’ which develop scenarios of possible strategic risks and chart the company’s planned response should they arise.
The growing risk of cyber attack or IT system breakdown is recognized by many boards but cyber governance is still in its infancy. Cyber warfare could strike a company in a number of ways, for example through:
- communication failure between parts of the business or its supply chain;
- loss of service to customers;
- espionage to extract confidential information or trade secrets;
- hacking to obtain personnel or customer records;
- intentional destruction of records or communication systems;
- fraud to divert funds from the company or hide fraudulent transactions;
- deliberate destruction or falsification of records;
- destruction of company correspondence files.
No doubt a thoughtful board will identify other possibilities, not least the risk of providing the board papers online. To ensure that they fulfil their fiduciary duty, boards need to ensure that their risk management strategy fully covers the risk of cyber attack and IT systems breakdown. Supporting policies covering, for example, stand-by facilities, back-up data storage, and recovery systems need to in place, tested, and regularly reviewed.
In an ever-interconnected business world, dependent on the internet and modern telecommunication, the threat of significant loss to profits, markets, or indeed to survival is real. Cyber governance is an increasingly significant part of a board’s corporate governance portfolio. It needs to have the right tools in its corporate governance tool kit.
Bob Tricker, May 2016
(for more on Professor Tricker’s publications and videoed lectures see www.BobTricker.com)