Ethics and Governance

Cyber-resilience: a priority for board members

Nov 13, 2020

A recent ICS survey has identified a serious gap in board members’ oversight of cyber-resilience. Bob Semple analyses the data and explains the practical steps board members can take to better protect their organisations.

When it comes to cyber resilience, boards members’ lack of capability and confidence is undermining their ability to do their core job: directing and overseeing.

That is the conclusion of a recent Irish Computer Science (ICS) survey of board members of Irish organisations (many of whom are Chartered Accountants). And when cyberattacks today are potentially as destructive as major natural disasters, that’s bad news.

The ICS survey was undertaken to determine how well-protected Irish organisations are. What was found makes for sobering reading:

  • one in three board members have received no cyber training in the last year;
  • less than two in five have been properly briefed on cyber developments;
  • an alarming three quarters have never participated in a test of their board’s cyber incident response plan (if it even exists);
  • as many as one in six had no Statement of Risk Appetite at all, let alone one that properly reflected the board’s attitude to cyber-resilience; and
  • one in ten respondents confessed they had never briefed staff on the importance their board attaches to cyber-resilience.

'Noses in, hands-off' (but check!)

Good governance requires boards to adopt a 'noses in, hands-off' approach. But, as case law has reminded us, this does not absolve the board of its responsibility to ensure that tasks delegated to management are completed to their satisfaction.

For their part, management must be able to identify:

  • the assets they are trying to protect;
  • the key risks affecting them;
  • the controls that appropriately mitigate those risks; and
  • the plans that enable the organisation to bounce back from an attack.

The smartest organisations realise that they are past the point of being always able to repel the bad actors. Instead, the goal is to ensure that companies can recover quickly and effectively from a successful breach of defences.

The ICS survey revealed serious gaps in each of these links in the chain of defence against cyberattacks.

Assurance

Increasingly, board members are asking:

  • Where am I getting assurance about risks, controls and resilience?
  • How valuable is that assurance?
  • Is it sufficient for me as a board member?
  • What other assurance should I be seeking?

The ICS survey revealed that one in three respondents have never obtained formal assurance from management on these issues. Furthermore, only half of respondents said that they had obtained assurance after independent testing by a third-party.

Practical guidance

Cyberattacks are increasing in number, sophistication, and impact. Board members need to ask more questions, strengthen their defences, and get more assurance to ensure that their organisations are cyber-resilient.

You can find the report – with details of the practical steps board members can take - here: www.ics.ie/cyberresilience.

Bob Semple is a Director and Governance Consultant.