Surely the headline here is wrong, I hear you say. May be it is, may be it isn’t.
Let’s start with why cyber risk is in the boardrooms at all.
Virtual organisations can be cut off at the knees by one cyber attack. This need not even be an attack on a crucial part of your organisation’s infrastructure. Some would point out this is so obvious at this point that it should not require stating but there is a reason why the acronym BFO (blinding flash of the obvious) is still in use. As one notices a clamour in hiring cyber experts on boards of formerly rickety organisations with old-fashioned boards made of people who have taken pride in not being very online, this needs to be stated loudly. For those in the back. And in a 2020-catalysed Spartacus moment, we are all (overseeing or working in or with) virtual organisations.
The board needs to ask sharp questions about the infrastructure that keeps an organisation running. This means the board needs to understand what makes up that infrastructure, identify the weak links, scrutinise remedial work. The board needs ask specific questions of that organisation not a generic set of questions e.g. if you are a product e-commerce business, it is crucial to ensure your supply chain does not break down or if you are a school, it is crucial you can keep teaching (even if homework is delayed!).
The board needs to look beyond the old boundaries of an organisation. For better or worse we are in a highly integrated, connected world. Organisations that do not share or that actively hide information from others in their ecosystem do everyone damage. It is important that the board look beyond the boundaries of the organisation to the ecosystem, including upstream and downstream impacts, and reframe the idea of risk, emerging risk, and compound risk.
There are second, third, nth order effects of a cyber attack. Whether it is ransomware, a data breach or an email system compromised by phishing or other social engineering. The Colonial Pipeline ransomware attack, for instance, targeted the commercial side of the business but the company ended up shutting down all operations and production lines causing hoarding of gasoline, creating concerns about prices, and raising concerns about the lack of federal cybersecurity oversight of the business. Boards that do not understand cyber risk will find themselves looking at an organisation compromised by these effects regardless. So not being savvy to these risks is not an option.
Organisations cannot rely on “honour among thieves” as a strategy. The cyber criminals who recently attacked the Irish Health Service (FT link may require registration) are reported to have said “The good news is that we are businessmen. We want to receive ransom for everything that needs to be kept secret,” while naming a figure of $19.99m. There is of course no guarantee that paying the ransom will mean the criminals will keep up their side of the bargain. And if it involves data what can you do if they make a copy or release it anyway for sale on to the dark web? Dark web? What’s that? If as a board director you are asking this question, I am sorry but it should worry you.
Which brings me to my original thesis as stated in the title of this post.
Cyber skills are essential board skills. Either on the main board or on the audit and risk committee, having a cyber specialist is an essential now. But since anyone can be the weakest link that compromises the organisation, the board need to be cyber-savvy. This note on sensors and governance from 2016 may help frame why digital touchpoints are a source of risk about which the board must be sensitive.
Cyber insurance is a growing need. It is a peculiar feature of buying insurance policies that the fine print is not available to read until after you have purchased the policy and that is when you learn about all exemptions in detail. Not having cyber insurance however is not an option.
Yeah but you said cyber risk is heading out of board rooms! Yes I know I did.
Cyber risk, unlike many others that can be quantified or modelled, is an uncertain risk. And its impact is as hard to pin down. This means it is not profitable for insurance providers to offer cyber insurance and is increasingly uninsurable. Quoting from the first link:
But Mumenthaler argues that the private insurance market is simply not large enough to offer full cyber protection to vulnerable organisations, due to the systemic nature of cyber risk. He observed that the cyber insurance market is currently worth around $5.5 billion in premium, compared to “gigantic” yearly losses that extend into the hundreds of billions of dollars. “There’s a cyber market that’s very tiny compared to the total exposure,” he told CNBC. “It’s going to grow but only a tiny minority of cyber is actually insured.” “And I would actually argue that overall the problem is so big it’s not insurable,” Mumenthaler continued. It’s just too big. Because there are events that can happen at the same time everywhere that are much more worrying than what you just saw.”
State actors or state-sponsored malicious actors are no match for regular even multinational organisations. Neither the strategic foci of organisations nor their resources or their resource allocation capacities are a match for a malicious state-actor or a malicious state-sponsored actor’s actions. These are systemic risks which are outside the purview of the responsibility of the board which should focus its efforts on bringing scrutiny to the malicious actions not the malicious actors. This is being recognised both by businesses and by government agencies — see this recent ransomware report by a public-private task force for instance, or the UK government’s 2021 integrated review combining security, defence, development and foreign policy which mentions cyber as a key aspect of resilience.
To the title of this post, cyber security is no longer just a corporate governance issue but a national security governance problem. To that extent, cyber risk has grown so much that parts of the multi-headed hydra are now heading out of the boardroom.
But the parts of it that remain in the boardroom continue to need vigilance and heightened scrutiny, and to require boards to understand the controls, the levers they can pull to address an incident. That remains our job as directors. Our own cyber discomfort is not helpful.
(Disclaimer: These are my own views and do not reflect the views of the boards of JP Morgan US Smaller Co.s Investment Trust or Temple Bar Investment Trust or London Metropolitan University, where I serve as a non-exec director, and chair various committees at the time of writing.)