Archive for the ‘cyber risk’ Tag

Cyber Security: A Question of Risk

Cyber security has been in the headlines recently with high profile incidences of hacking of various organisations’ IT systems and their supposedly secure data.

The ‘UK Corporate Governance Code (2016)’ discusses risk management and internal control stating ‘ The directors should confirm in the annual report that they have carried out a robust assessment  of  the  principal  risks  facing  the  company, including  those that would threaten  its  business  model,  future  performance,  solvency  or  liquidity.  The directors should describe those risks and explain how they are being managed or mitigated’, para C.2.1.

The UK’s Financial Reporting Council (FRC) placed cyber security firmly on the agenda for companies’ risk management strategies when, in October 2016, they wrote to audit committee chairs and finance directors, commenting “we encourage companies to consider a broad range of factors when determining the principal risks and uncertainties facing the business, for example cyber security and climate change”.

The Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) published a joint report ‘At the Junction of Corporate Governance & Cyber Security (2017).’  The report recommends that the fundamentals of a cyber risk management framework should be based on the OECD  principles contained in ‘OECD  Recommendation – Digital Security Risk Management for Economic and Social Prosperity (2015)’ and the ‘Three  Lines  of  Defence’  model  promoted  in the joint FERMA-ECIIA publication ‘Audit and Risk Committees – News from EU Legislation and Best Practices (2014)’.

The FERM-ECIIA (2017) report’s conclusions include: beyond IT, cyber-security is also becoming a matter of corporate governance, and the right governance framework is crucial to an efficient management of cyber risks; organisations should create a “Cyber Risk Governance Group”, reporting to the Risk Committee and chaired by the Risk Manager, to determine with other functions the cyber risk exposure, expressed financially, and establish the possible mitigation plans. The Group should cooperate with Internal Auditors to avoid silos; Internal Auditors review the controls implemented and give an independent assurance to the Audit Committee about the cyber risk, the efficiency of the controls and the mitigation plans; the Risk Committees and the Audit Committees must collaborate to present a common view to the Board about cyber risk management.

Cyber security in large FTSE companies

In February 2017, Deloitte published its ‘Cyber Reporting Survey (2017)’ which is available here.  It provides useful insights into the cyber reporting practices of the UK’s FTSE 100 companies. The outcomes of their review of FTSE 100 annual report disclosures include that 87% companies disclose cyber as a principal risk; the value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputation damage; detailed disclosure highlights the risks to shareholders and the better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders; boards and board committees are increasingly educating themselves about the cyber threat and challenging management on how they are dealing with the risk; companies should take credit for what they are doing, including describing who has executive  responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans. The Deloitte’s Cyber Reporting Survey also points out that the UK does not have a specific cyber security disclosure framework but that the USA may provide helpful guidance on such disclosure as the Securities and Exchange Commission (SEC) issued disclosure guidance as far back as 2011.

In July 2017, HM Government published their ‘FTSE 350 Cyber Governance Health Check Report 2017’. The Government has undertaken a regular survey of the UK’s top 350 companies since 2013, to understand how they are managing their cyber risks. Overall 105 companies responded to the 2017 Health Check survey with the majority being the Chair of their company’s audit committee. Cyber risk is now seen as a top, or group-level risk, among the majority of Boards (54%) when compared with all the risks faced by their company. Only 13% of respondents now say cyber risk is viewed as a low, or an operational-level risk for their Boards. Whilst 31% of boards receive comprehensive and informative management information on cyber risks, 68% say they have not received any training to deal with a cyber incident.

Concluding thoughts

The reports discussed above indicate a common theme that cyber security is of increasing importance, that cyber risk is recognized as a major risk facing companies, and that managing that risk is part of a robust corporate governance structure.  There is still a consensus to be reached on whether the risk committee, the audit committee, or a cyber risk governance group is the most appropriate to manage this risk and how they might work together to do so. However it seems clear that in the near future more attention will have to be paid to training in cyber security issues and the appointment of qualified individuals with relevant knowledge of this area to corporate boards/board committees.

Chris Mallin

November 2017

Advertisements

Cyber risk and security

Some ongoing corporate governance concerns

It has been a while since I contributed to OUP’s corporate governance blog, which I share with Professor Chris Mallin. So I thought that, rather than focusing on a single theme, I would comment on issues that are currently concerning directors and their professional advisers around the world.

In particular I will address shareholder communication, shareholder engagement, executive compensation, cyber security, and the challenges of cronyism and corruption.

Cyber risk and security

It is now widely recognized that strategies for identifying corporate vulnerabilities and managing risk are part of the corporate governance responsibility of every board. Although some boards could usefully spend more time assessing the potential of strategic risks faced throughout their group.  (BP’s Deepwater Horizon oil rig disaster and the Fukushima Daiichi power station disaster for Tokyo Electric Power come to mind). An interesting idea adopted by a few boards is the creation of ‘play-books,’ which develop scenarios of possible strategic risks and chart the company’s planned response should they arise.

The growing risk of cyber attack or IT system breakdown is recognized by many boards but cyber governance is still in its infancy. Cyber warfare could strike a company in a number of ways, for example through:

  • communication failure between parts of the business or its supply chain;
  • loss of service to customers;
  • espionage to extract confidential information or trade secrets;
  • hacking to obtain personnel or customer records;
  • intentional destruction of records or communication systems;
  • fraud to divert funds from the company or hide fraudulent transactions;
  • deliberate destruction or falsification of records;
  • destruction of company correspondence files.

No doubt a thoughtful board will identify other possibilities, not least the risk of providing the board papers online. To ensure that they fulfil their fiduciary duty, boards need to ensure that their risk management strategy fully covers the risk of cyber attack and IT systems breakdown. Supporting policies covering, for example, stand-by facilities, back-up data storage, and recovery systems need to in place, tested, and regularly reviewed.

In an ever-interconnected business world, dependent on the internet and modern telecommunication, the threat of significant loss to profits, markets, or indeed to survival is real. Cyber governance is an increasingly significant part of a board’s corporate governance portfolio. It needs to have the right tools in its corporate governance tool kit.

Bob Tricker, May 2016
(for more on Professor Tricker’s publications and videoed lectures see www.BobTricker.com)