Company boards risk losing the race with cybercriminals

The report, ‘Governing cyber risk: a guide for company boards’, which is based on benchmark interviews conducted at board and senior executive level from across TheCityUK’s membership, outlines a new framework for boards to meet the growing cyber threat. It found that many companies were yet to meet the standards published today and need to do more to address the risks.

The report benchmarked boards on how ‘proactive’ they are in engaging and informing themselves on cyber and how much ‘challenge’ they are creating for management in providing active and intrusive oversight.

While boards need to ensure their companies are front-runners in the race to digitise, they also have a responsibility to manage the exposure to cyber crime that digitisation creates.

In parallel, rules such as the UK Corporate Governance Code, the Senior Managers & Certification Regime and the General Data Protection Regulation are creating additional board responsibilities for cyber security. Data compiled by Marsh suggests a tripling in directors and officers liability insurance claims within the UK financial sector over the past three years.

Marcus Scott, chief operating officer, TheCityUK, said: “Cyber security is now a major risk demanding board-level oversight as companies find themselves under siege from cyber-attacks. In fact, for many of our members it may well be the biggest single risk. As well as mitigating against external attacks, boards must be aware of supply chain threats which could penetrate a business through internal channels. These criminals are smart and persistent. The best form of defence is a collective, industry-wide approach. It’s essential for all boards to have robust governance systems in place to manage these risks.”

Mark Weil, chief executive officer, Marsh, UK & Ireland, said: “While there has been much discussion on the technical aspects of cyber risk, little is said on what company boards should be doing to address this threat. Boards need to drive forward digital transformation to maintain their competitive edge, while ensuring they are resilient to the many forms of cyber-attacks digitisation opens them up to.

“While we found big differences in boards’ approach to governing cyber risk, closing the gap should be relatively straightforward as the differences are more about attitude than spend. We want boards to be able to have a ‘no regrets’ position on cyber, meaning that if a breach does occur, they know that everything reasonable has been done to minimise harm.”