International cybercrime is becoming a big business and a primary corporate risk, boards are grappling with understanding its complexities and ensuring robust defences are in place against hackers.
At a recent Centre for Audit Committee and Investor Dialogue (CACID) meeting – a joint initiative between Mazars and institutional investors – we discussed the policies and procedures that boards need to have in place to combat the risks facing corporations and why they need to go further than simply complying with the new regulation.
Discussions touched on:
Clear policy and procedure
Boards need to start from the critical IT assets and understand how they could be affected by various cyber-threats. This step is crucial in light of new data protection rules (General Data Protection Regulation, or GDPR) which came into force in May. It is essential for boards to show the regulator that effective protection is in place and demonstrate that steps taken to achieve it.
The tough new regulation is certainly sharpening minds with its aim to establish Europe-wide standards on cybersecurity. GDPR requires companies to make sure the personal data of EU citizens and residents is effectively protected and secure. Surveys have indicated that many companies are still unprepared for the tougher rules on the protection and storage of personal data that GDPR requires.
One of the mistakes boards often make, is to believe that a threat to cybersecurity ‘is only IT-related’ rather than a business risk.
Best practice approaches include boards appointing a member with specialist technology or cybersecurity experience who is able to understand the complexities and vulnerability of the company and explain to the rest of the board, audit and risk committees, the security and data protection measures needed.
Smaller companies, which might be more constrained by costs than their bigger counterparts should bring in external cyber-risk advisors. Waiting until ‘someone kicks the tyres’ before investing in training or specialists is no longer an option.
Disclosure controls and procedures
Boards also need to make sure they have a clear post-breach plan of action and that regulatory reporting of data breaches follows the right procedure to meet the new GDPR requirements. New guidance from the US Securities and Exchange Commission (SEC) on the disclosure of cyber-attacks will be helpful for companies scrambling to meet GDPR rules.
Dealing with investor concerns
The new regulations are encouraging investors to ask sharp questions and expect boards to give informed and detailed answers that provide assurance. One large institutional investor present at the meeting explained that if they do not have enough confidence in the level of cybersecurity resilience, they will not invest in the company.
The current challenging and complex environment of organised cybercrime, malicious software and dark-web activity means many boards will need to raise the bar to protect personal data and meet the requirements of all stakeholders in the near future.
This blog is an excerpt of an article, “A road map for protection against cybercrime security” which appears in the Spring 2018 edition of Board Agenda. The full article can be found here.
By Nicolas Quariel