Cyber risk and security

Some ongoing corporate governance concerns

It has been a while since I contributed to OUP’s corporate governance blog, which I share with Professor Chris Mallin. So I thought that, rather than focusing on a single theme, I would comment on issues that are currently concerning directors and their professional advisers around the world.

In particular I will address shareholder communication, shareholder engagement, executive compensation, cyber security, and the challenges of cronyism and corruption.

Cyber risk and security

It is now widely recognized that strategies for identifying corporate vulnerabilities and managing risk are part of the corporate governance responsibility of every board. Although some boards could usefully spend more time assessing the potential of strategic risks faced throughout their group.  (BP’s Deepwater Horizon oil rig disaster and the Fukushima Daiichi power station disaster for Tokyo Electric Power come to mind). An interesting idea adopted by a few boards is the creation of ‘play-books,’ which develop scenarios of possible strategic risks and chart the company’s planned response should they arise.

The growing risk of cyber attack or IT system breakdown is recognized by many boards but cyber governance is still in its infancy. Cyber warfare could strike a company in a number of ways, for example through:

  • communication failure between parts of the business or its supply chain;
  • loss of service to customers;
  • espionage to extract confidential information or trade secrets;
  • hacking to obtain personnel or customer records;
  • intentional destruction of records or communication systems;
  • fraud to divert funds from the company or hide fraudulent transactions;
  • deliberate destruction or falsification of records;
  • destruction of company correspondence files.

No doubt a thoughtful board will identify other possibilities, not least the risk of providing the board papers online. To ensure that they fulfil their fiduciary duty, boards need to ensure that their risk management strategy fully covers the risk of cyber attack and IT systems breakdown. Supporting policies covering, for example, stand-by facilities, back-up data storage, and recovery systems need to in place, tested, and regularly reviewed.

In an ever-interconnected business world, dependent on the internet and modern telecommunication, the threat of significant loss to profits, markets, or indeed to survival is real. Cyber governance is an increasingly significant part of a board’s corporate governance portfolio. It needs to have the right tools in its corporate governance tool kit.

Bob Tricker, May 2016
(for more on Professor Tricker’s publications and videoed lectures see www.BobTricker.com)

Advertisements

1 comment so far

  1. iBoardrooms (@iBoardrooms) on

    If a board is going to talk the talk on cyber risk, we would suggest that they should also walk the walk. Rather than retreat from putting their materials into an online portal, the board should use the selection process of a secure online board portal as a case study for how the board can meaningfully oversee the security of IT assets across the company.

    The board will be more familiar with the requirements of a board portal than for other IT assets in the firm and this makes the board portal a good way to get the board up to speed on IT security oversight.

    And, the board will be hard pressed to maintain credibility with the rest of the organization on these matters if it is requiring other functions to operate secure IT systems but does not feel able to implement one itself.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: