Cyber risk is now a major area of concern for all organisations and the board should be knowledgeable about such risk. Richard Sheath, Director, Independent Audit Ltd, looks at how a board can exercise oversight of this fast-moving and difficult-to-understand critical threat.
Most directors worry about their organisation’s exposure to cyber risk, especially when they sense it’s not a matter of ‘if’ but ‘when’. But few of them feel confident that their technical knowledge is sufficient to test what they are being told. Are they merely forming a half-baked judgement on the adequacy of their mitigation approach or the organisation’s ability to respond to a major breach? This is one of those areas where directors can’t be expected to become experts and finding someone who’s already expert but has the right profile to become a non-executive director (NED), will always be tricky – especially with such a limited pool to dip into. In fact, increasing numbers of boards have stopped looking for cyber-NEDs and instead are appointing retained experts as their advisers. But of course even those need to be used wisely by a board.
So, what’s to be done? At a minimum, the board needs to have a clear framework of questions to ask – one based on a good understanding of the full breadth of the risk and required response. This article gives an introduction to this complex topic and provides a few pointers on good practice to help directors cover the ground and avoid the pitfalls.
Richard Sheath, Director
Independent Audit Ltd
Richard Sheath is a specialist in corporate governance with expertise in the effectiveness of boards, audit (and risk) committees, risk governance, internal audit and control culture. This article was authored by Mr Sheath with edits by Phillip Baldwin, Director, Asia, Independent Audit Ltd, and with additional contributions from CobWeb Cyber Ltd (UK). More information is available on the Independent Audit Ltd website: www.independentaudit.com.