Cyber Risk Management and the Board of Directors

Security is a board-level issue. We have all repeated this mantra so many times that it may have lost its meaning. To re-acquaint ourselves with the potency of this statement, understand that the board’s responsibility is to protect shareholders’ assets from loss while simultaneously increasing their value. The price of share of stock is tied to the value of the corporation’s underlying assets. These include reputation, goodwill and brand, all of which can easily be destroyed in a cyber attack. With threats against these assets on the rise, cyber policy and board of directors are now discovering each other as never before.

Cyber risk management: a higher priority for the board

Over the last decade, board-level focus on cyber security and cyber policy has increased. Michael Corey, a partner at PricewaterhouseCoopers (PwC) with responsibility for PwC’s West Region Cybersecurity and Privacy practice, has witnessed this transition firsthand. “We are seeing some boards recruiting and appointing members with more technology experience and in some cases specific cyber security experience,” said Corey. “Cyber policy is also moving up the board’s priority list. Cyber is on the agenda.”

• Board members are concerned about their own information security and privacy.
• They see, more clearly now than ever, that intangible assets like reputation and trust in the industry, are at risk from cyber threats.
• Boards and management are increasingly focused on identifying their corporations’ digital “crown jewels” and understanding how these assets must be protected.

A resource allocation issue

Michael Corey, Partner at PwC

Boards today are more likely to see cyber security as a resource allocation than they might have just a few years ago. “We work with boards to help them see the alignment between business strategy and digital strategy—as well as the converse, the risk to business strategy from cyber threats.”

Corey offered a financial institution as an example. He posited that such a corporation would build most of its strategy on the principle of trust. “Trust is a huge intangible asset for a financial services firm,” Corey explained. “It’s at the root of the brand’s value. If there’s a data breach, that will erode the public’s trust in the institution. At a board level, this awareness leads to a willingness to allocate more resources to protecting threats to being perceived as a trustworthy place to put your money.”

Not everyone has gotten the memo

The trends Corey has seen in the boardroom notwithstanding, PwC’s annual Global State of  Information Security Survey reveals an astonishing fact: That 44% of corporations still have no incident response plan. “It’s hard to understand that in light of the cybersecurity incidents in the press recently,” said Corey.