Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.

Corporate Counsel Connect collection

Back to In This Issue Subscribe
February 2016 edition

Cyber crime report: Corporate governance of cyber security

Thomson Reuters

CyberlockThere is plenty of information on the impact of cyber crime and on its complexity, but little in the way of information that assists companies to align their corporate governance to deal with the threat. Companies in the future will have to give cyber security a more important profile within the organization as, ultimately, it is the board’s responsibility.

Boards of directors can no longer afford to outsource the responsibility of this dynamic threat and are going to have to be more responsive to keep pace with developing issues that may affect their organizations. Cyber security governance structure will need to be less IT-centered and more properly aligned with other risk and control functions. Corporate counsel’s role in advising the board will be key.

The international threat

Cyber crime has developed over the last five years from interfering with systems to now online fraud, industrial espionage, theft of data, destruction of information, and disruption of systems. A recent New York State, Department of Financial Services (NYSDFS) report on cyber security in banking said: “Cyber attacks against financial services institutions are becoming more frequent, more sophisticated and more widespread.” Three main risks for banks are the need to understand the scope of the threat, industry interconnection, and the compliance costs of preparing for an attack.

The International Organization of Securities Commissions (IOSCO) has predicted that the next big financial shock will come from cyber space in pursuit of attacks on financial institutions. It is clear, however, that all business sectors are affected: Recently giant UK supermarket chain Tesco had to deactivate more than 2,000 accounts after log-in credentials were hacked and shared online by cyber criminals.

Need for governance alignment

The financial world appears more organized than most to deal with the mounting problem. For some time, regulators in all jurisdictions have been emphasizing the need for institutions to become active about cyber resilience. IOSCO has published a report exploring the evolving nature of cyber crime in securities markets, and the threats that it poses. Although cyber crime in securities markets has not had systemic impact so far, it appears that it is evolving in terms of increasing numbers of attacks each year, and more emphasis has been placed on the need for boards to exert leadership and governance to tackle the problem.

The NYSDFS report said that corporate governance for cyber security tended to be highly IT-centered, and that other employees in institutions appeared to be underrepresented in the cyber security governance structure: specifically, general counsel, public information, and corporate insurance. The report highlighted the need to realign governance in this area to be more inclusive of other disciplines, which would strengthen cyber security and ensure the organization was taking a holistic approach to managing risk.

Give boards more information

The report also suggested that, within institutions, boards of directors tended to receive fewer updates about cyber security issues than senior management. More specifically, 73 percent of institutions reported that board members received information security updates only quarterly or annually, whereas 33 percent of institutions reported that senior managers received monthly updates. The report indicated that periodic information security updates should be provided to all levels of management, including boards of directors, to ensure that the institution’s cyber risk was appropriately managed. Without these security updates, the board and/or the executive management would not fully appreciate the risks involved, and if these risks were not readily apparent, they would be less likely to understand why financial resources needed to be diverted to cyber security, the report said.

How can boards and executives plan for the future?

The rapid pace of change in technology makes it more crucial than ever that boards of directors and senior managers ensure all functions are aligned and sufficiently resourced. Executive managers, including corporate counsel, need to be more involved in identifying the institution’s top cyber risks, and need to understand how the organization can combat them. A sound understanding of cyber protection procedures is essential, so that the board is fully aware of how ready — or otherwise — the institution is to deal with cyber risks. Executive managers should ensure:

  • the board has an agreed approach toward the unique risk profile of the organization;
  • there is a sound knowledge of IT management and governance throughout the institution, and that all necessary functions are aligned to deal with cyber risks;
  • procedures for incident response and event management are in place;
  • there is a sound understanding of access controls and network security;
  • procedures for vendor management are in place;
  • and procedures for disaster recovery are in place.

Need for organizations to cooperate and share information about cyber attacks

Directors can play a crucial leadership role by sharing information about cyber attacks and combining resources with their counterparts at similar organizations to find solutions; more minds are better than one. Attacks are well-publicized, but there is no dynamic information structure to help institutions and businesses to combine and cooperate. This certainly seems to be one of the main obstacles to tackling the problem. The issues are growing year by year, and will eventually become too great for any one organization to deal with, as seen perhaps in the JPMorgan case. If institutions begin to “put their heads together” and share information about cyber attacks and pool resources to find solutions, much could be achieved.

Need to remain alert

No matter what the issues, executive managers will have to remain on the alert, and must be dynamic in the way that they deal with the risks involved. In time, this may require a new form of institutional governance that is concentrated not so much on getting business in the door but, rather, on saving it.

Boards are going to have to work harder to ensure that the corporate governance structure is fully aligned and that the measures they employ to counter attacks are constantly updated and designed to deal with the risks unique to that particular organization. As time goes on, organizations are likely to move away from the IT-centered model toward a leadership framework that will align all parts of the business to ensure stronger cyber security programs, and to pool resources with other organizations to enable them constantly to assess risks and threats, and to deal with them effectively.

About the report

This excerpt is from the Thomson Reuters Cyber Crime: The Fast-Moving Menace — A Special Report, published by Thomson Reuters Accelus.

Reporting team:
Brisbane – Niall Coburn
Hong Kong – Ajay Shamdasani
London – Martin Coyle, Susannah Hammond, Rachel Wolcott
New York – Henry Engler, Stuart Gittleman
Washington, D.C. – Emmanuel Olaoye
Editors:
Alexander Robson in London and Randall Mikkelsen in Boston
Design:
Paige Nazinitsky

Dig Deeper, learn more with CLEAR - GO