Boards of Directors and Cybersecurity

By Marion Lewis, Co-Founder and CEO, Govenda

How to combat potential threats from cyber and ransomware attacks.

41% of business executives believe that cyber resilience is an established business priority, while only 13% of security-focused executives do.

Events over the past few months have highlighted the steadily increasing need for companies to formalize their cybersecurity protocols.

First, on March 9, 2022, the SEC outlined new rules that are designed to mitigate the risk of cyberattack. The rules would substantially increase the disclosure requirements for public companies regarding any cyberattacks, as well as the company’s actions to combat and decrease the risks of cybercrimes.

The SEC’s proposed rules focus on governance and board expertise. The new requirements would compel boards to share their members’ experience in cybersecurity and cyber risk, including the processes for mitigating risks, which board member(s) will be informed of potential risks, and what actions will be taken if the company becomes the victim of cyberattack. The proposed rules also require disclosure of information pertaining to cyber risk oversight.

The agency suggests that these increased requirements would give investors a more holistic picture of the company’s overall strategy.

Then, at the end of March, President Biden warned that “evolving intelligence” had revealed that Russia was planning on increasing cyberattacks against the United States. There hadn’t been a specific threat, but increased scanning activity from international IP addresses was seen as a sign that Russia wanted to retaliate for U.S. sanctions and were searching for weaknesses in U.S. companies’ cyber defenses. Russia had already succeeded in cyberattacks on thousands of Ukrainian government websites, and U.S. companies fear that Putin was testing and improving his arsenal of cyber weapons.

Protecting Your Intellectual Property from Cyber Attacks

These new and increasing concerns about cybersecurity have companies and boards of directors taking decisive action to mitigate the risks to their companies. They know that when the current climate that’s driving the increased risk has passed, there will be another right behind it.

Boards’ fiduciary duties now include cybersecurity oversight and risk mitigation. It’s time to ensure that your cybersecurity protocols are sufficient to keep your operations, information, and company safe from cyberattack.

Best Practices to Bolster your Cyber Defenses and Mitigate Cybersecurity Risks

  • Understand that robust cybersecurity protocols are good for business. Global losses from cybercrimes are expected to skyrocket from $1 trillion in 2020 to more than $10 trillion by 2025. Responsibility for protecting the company from cyberattack can’t be siloed in the IT department—it needs to be the priority of the board, executives, and all other stakeholders.

  • Conduct periodic assessments to determine your cybersecurity strengths and vulnerabilities. It helps to keep stakeholders informed of the company’s cybersecurity protocols so they can make informed decisions about how and where to increase security and mitigate risk. Some questions to ask include
    • What are the company’s most valuable technology assets?
    • How will we know if we’ve been breached?
    • What security breaches would have the biggest impact on our business? On our customers?
    • Do we have enough resources allocated to cybersecurity?
  • Make cybersecurity a priority of board governance. The new rules proposed by the SEC express the urgency with which the agency views cybersecurity. Boards need to prepare now, making sure they have at least one member with cybersecurity expertise. This expert will ensure all the members are committed to robust cybersecurity protocols and determine the overall cybersecurity strategy.
  • Implementing comprehensive cybersecurity protocols establishes cybersecurity as a priority for the company. The protocols should include exactly what actions to take in the event of a malicious attack—from data breaches to installation of spyware and ransomware and other cybercrimes. They should be reviewed and updated frequently, as hackers and hacking technology quickly evolve to become more and more sophisticated. The protocols that protect your data now might not be sufficient to protect you in six months.
  • The protection of end-of-life devices is a risk that’s often overlooked by companies in their quest to minimize cybersecurity risks. What happens to your employees’ and board members’ laptops and smartphones when they’re replaced with newer, more efficient technology? Don’t assume your devices will be completely wiped when you bring them to be recycled. It’s crucial to be 100% sure that your data has been permanently destroyed.
  • A comprehensive Incident Response Plan can help your board act quickly and decisively in the event of a cyberattack, substantially reducing risk and the costs associated with a delayed response. Response plans should outline specific processes in response to specific attacks, and which executives or board members are responsible for doing what to alleviate losses.
  • Conduct ongoing training to ensure your board, executives, and other stakeholders are well versed in current best practices to help mitigate the risk of cyberattack. One of the most popular forms of cyberattack is an innocent-looking phishing or spear-phishing email—be sure everyone in your company knows how to identify these basic but effective tactics.
  • Simply installing security updates as soon as they’re available can help your company keep its data safe from cyber criminals. One of the easiest ways to mitigate cyberattacks is to make sure all your employees’ and board members’ computers, smartphones, and other internet-connected devices are up to date with the latest security and antivirus software.
  • Using multifactor authentication is becoming less the exception and more the rule. Employees, board members, and any other stakeholders should be required to use multifactor authentication when using any devices to access company information, including computers/laptops, email, VPN, and more.
  • Use board management software to keep your board business private and secure. Traditional, manual methods of creating board books, including paper, Excel, email, file sharing apps, and other legacy products, lack security and put your company’s confidential information at risk.

The Future of Cybersecurity Governance

The fact is that as soon as new cybersecurity technology is developed and implemented, cybercriminals start working on breaching it. It’s incumbent on the executives and the board to prioritize cybersecurity, creating a culture of cyber-aware employees from the factory floor to the board room.

The increase in cybercrime and the risks to sensitive information require a fundamental shift in the way companies and boards function and conduct business. Cybersecurity governance has become a crucial issue, and all indications are that it will remain a priority indefinitely.



Hot Topics

Related Articles