Does it matter whether companies can predict their future and the potential impact of cyber risk?
According to the Financial Reporting Council (FRC), it does. For companies reporting year ends from 30 September 2015 onwards, and driven by the need for greater transparency in the stewardship of listed companies, one of the new requirements within the UK Corporate Governance Code is for PLC directors to include a viability statement in the company’s annual report to investors. In other words, do they think the company will still be viable and operational in three to five years?
The changes, according to the FRC, also “raise the bar for risk management” as companies “should robustly assess their principal risks and explain how they are being managed or mitigated”.
However, among the September 2015 reports filed to date, none has mentioned cyber security as a risk. As the scale and nature of cyber threat continues to evolve, it’s a brave listed company board that doesn’t acknowledge cyber crime as a potential threat.
Why is cyber security, apparently, not on the agenda for some directors? Either they think it’s a routine, rather than strategic, matter looked after by the IT department, or simply they haven’t thought of it as a significant risk area. If it’s the latter, I wouldn’t be surprised; many boards don’t fully understand the cyber threat. They see cyber resilience as a cost incurred for something that might not happen. They certainly don’t see investing in it as a way to build business advantage.
The flaw in this thinking is that companies can invest millions in intellectual property for example on new applications, designs or software but don’t realise the potential threat from copying or exploitation if they’re not vigorously protecting it. If your company is creating a new tablet computer, it’s a digital asset that should be protected. You wouldn’t expect a jeweller to make a crown for the monarch without having a lock on the door.
The cyber security conversation in companies
Whether board directors are discussing and addressing cyber security varies a lot by company. The attitude to it tends to range across opposite ends of the spectrum. Some company boards spend little time in conversation about it and leave it to the CIO. Others take it very seriously, with the result that staff are forbidden from taking their company mobile phones to places such as Hong Kong or mainland China, and are not allowed to access company data while away.
But listed company board directors should be mindful of what their shareholders think on the matter. Though there is little evidence now of shareholder activists making a fuss about cyber security it could be the lull before the storm: if institutional shareholders decide that a company has cyber leaks, they will not hesitate to dump the shares and move to competitors.
Instilling a cyber resilient culture in companies
Conveying the importance of cyber security and cyber resilient behaviours is being done well in some companies: for example, visitors are given different coloured lanyards so staff know what level of information they can discuss with them, and visitors may not be aware of this fact. In many professional services firms there are clean desk policies to reduce the risk of paper files going missing or being viewed; similarly greater discipline is now being placed on the use of mobile devices, laptops and employees’ own devices. This is essential, as the average value of data on a mobile phone is estimated at $14k and there are people willing to pay that money and more to gain access to a phone’s data.
A cyber security learning curve for directors
The FRC’s latest requirements mean that PLC directors need to get up to speed with the nature of cyber risk. This could, initially, involve an online course from the Open University to raise awareness of cyber issues generally or the use of AXELOS’s RESILIA™ cyber resilience best practice portfolio. For example, a boardroom simulation to work through what would happen if the company were attacked and how they would react is just as important an exercise as the regular fire drill building evacuation.
Once some companies start to refer to cyber risk and how they’re mitigating it within their strategic report to investors, the peer pressure should work through to other companies. However, company boards shouldn’t be waiting to see what others are doing. Instead, they should see this as an opportunity to market their commitment to corporate best practice in cyber resilience and take the credit for it.
See our RESILIA section for more information about cyber resilience.