I found a recent article this week in the Globe and Mail which discussed cyber security and how board of directors are (or really are not) positioned to tack cyber challenges that are now facing them. In reality most boards, while staffed with great leaders with valuable, experience and expertise, are not positioned to tackle cyber issues, simply because that is not the area to which they are trained.
Since November 1, Canada has had changes to their privacy laws, and with it, new requirements for companies, and their boards to report data breaches, both to the privacy commissioner, but also to their clients. This will mean that we will see, more than ever, headlines and stories of data breaches within our Canadian corporate world. Up to now, less than 1/10th of Canadian companies report data breaches to law enforcement, instead looking to deal with the issues internally.
As a board member, due diligence says that one must be strategic when dealing with the issues at hand for your company. However cyber security poses risk to the organization and this risk, manifested, can lead to large issues including, share value erosion, loss of revenue, customer confidence and more.
The article highlights some great points including:
- making it a risk-management exercise
- conducting a cybersecurity assessment
- updating the cyber-insurance policy
- revising your crisis management plan
I would add that boards, will not always have a cyber expert on their board membership, although there are more and more experts, prepared to supplement, whether it be as an adviser or member. Boards should also look to having training and bringing on an advisory person to their risk or audit committees to help understand the new world of risk.
Cyber security for boards will soon shift form a nice to have to a must have. Boards should embrace this quickly to help them navigate the tricky world that will become part of the norm for the board agenda.