Cybersecurity in the boardroom


Board of Directors are appointed to oversee strategy and management of a company. Beyond this oversight function is their duty to protect the company and its stakeholders from looming business risks. In recent times, especially as digitalisation is on a rise, business risks have evolved to include more data breaches and cyberattacks. This places a responsibility on the Board – being protectors – to employ cybersecurity as safeguard. The discourse on cybersecurity in the Boardroom needs to be presented on two levels. Level 1 – how secure is sensitive Board information; and level 2 – how does the Board offer oversight to ensure robust cybersecurity throughout the entire company?

Modern Boards are said to be very effective and efficient most likely due to technology. Today’s Boardroom is more digital than physical; from circulating Board papers electronically to holding virtual meetings. Well, where there’s an opportunity, there’s risk. Given the sensitivity and value of information which Boards typically possess, there is even a higher risk of information theft or compromise. The potential damage of a cyberattack on such sensitive and valuable information is extremely detrimental, leading to substantial financial costs, reputational hits, and legal liability. Interestingly, the Board is often less cyber secure than a low-level employee.

A cyber perpetrator could be an outside hacker, a disgruntled employee or a former employee trying to disrupt the company. There is also a change of business model for cybercrimes. Some criminal groups identify the vulnerabilities, share the information while others lease the ransomware to another criminal group in exchange for a percentage of profit. Cyberattacks are now more sophisticated.

Against this agile and industrialised cybercrime market are Boards playing catch up. Many Boards do not have documented cybersecurity standards. As such, they are vulnerable to attacks which in some cases are accidentally facilitated by human error. Cyberattacks come in many forms including compromised passwords, abuses of privilege and hacks on known vulnerabilities, such as those found in virtual meeting tools. As the barest minimum, Boards need to be vigilant. But vigilance is never enough, and ignorance is really not an excuse. So, what can be done?

Three solution areas: in-depth awareness creation for each member of the Board; developing concepts and tools; and building capabilities. As cliché as it may sound, creating sufficient awareness is the first step to being cyber secure. Boards need to understand the cyber risks and challenges their companies face in order to ask the right questions. Also, know that no one is exempted from a potential cyber-attack; hence, every Board needs concepts and tools in place. It is about checking critical assets and processes to prevent or resolve an attack. Very importantly, there is the need to balance the controls and red tapes so as not to stifle innovation in the name of cybersecurity. The last area on building capabilities is to say that cybersecurity is not just the job for the IT personnel. A cyber resilient Board has well capable members who know how to protect sensitive company information. In fact, every individual of the organisation needs to be trained to identify and use appropriate security features and processes.

That leads to level 2 of the cybersecurity discourse – how does the Board offer oversight to ensure robust cybersecurity throughout the entire company? It is important that the Board ensures that company and client data held by any employee is protected. An underlying principle of good corporate governance is setting the right tone at the top. A truly effective Board implements cybersecurity in the Boardroom and replicates its standards throughout the company. Back to the three solution areas: creating in-depth awareness; developing concepts and tools; and building capabilities. The Board needs to first lead the implementation of these solutions in and outside the Boardroom, then establish an appropriate Board-level oversight. Some Boards delegate the oversight function to the risk and audit committee, while others have a stand-alone cybersecurity committee. Irrespective of a Board’s choice of structure, what is most important is to increase the volume and frequency of cybersecurity briefings on the agenda. Regular updates help Boards carry out their oversight responsibility, navigate the security landscape, and prioritise threats.

Cybersecurity is definitely not a one-and-done proposition. It is a dynamic process that requires the Board to be informed, engaged and updated beyond checking compliance boxes. It is also not a problem for the highly regulated industries like banking and insurance. Any company in any industry, be it private or public, is vulnerable to a potential cyberattack. Now is the time to include cyber expertise to the long list of requirements in the Board member selection process. As mentioned earlier, “a cyber resilient Board has well capable members who know how to protect sensitive company information”.

October is Cybersecurity Awareness month in Ghana. We can no longer afford not to be interested in this subject – there isn’t a choice.

Lovetta is a Compliance Analyst at B & P ASSOCIATES, Lawyers and Consultants. She has expertise in regulatory compliance, corporate governance and company secretarial matters. 

Email: [email protected]

Leave a Reply