Cyber security a strategic concern for directors and boardsManaging cyber risk is a concern for the entire organisation and should be led from the top.

With an increasing number of issues coming under the board’s remit, directors need to keep abreast of the risks facing their organisation including readiness to deal with a cyber breach.

A recent research report produced by the Institute of Directors in Ireland (IoD) and Mason Hayes & Curran, examining the importance placed on cyber security by directors and boards in Ireland, found that awareness of cyber security issues at board level is high, with 93% of directors rating it as very or quite important, this is unsurprising given that one third of directors report that their company has experienced a cyber breach in the past two years.

It is the duty of directors, and the board, to understand, manage and mitigate cyber risk, leading from the top, and all directors should ensure that they are fully aware of their responsibilities, legal and otherwise, in relation to cyber security.

The research with just under 300 members of the Institute of Directors in Ireland also found that 85% of directors claim to have a high to medium understanding of the cyber risks facing their organisation with the most common cyber breaches experienced including; computer viruses, the loss or theft of mobile devices, the hacking of company email accounts, data protection breaches, for example, the inadvertent disclosure of data, and websites being hacked.

Techniques of cyber-attack are never static, but are wide and varied, and so the continuously changing face of cyber risk means that directors and boards need to keep up-to-date in order to best protect against and mitigate the risks of serious security incidents.

It is, therefore, encouraging that 69% of directors claim their organisation is prepared or very prepared for a cyber breach, with an identified executive with responsibility for cyber security present in 80% of organisations. However, only a marginal majority of organisations, 56%, have a formal cyber security strategy in place.

This is critical as organisations that successfully reduce the chances of a security breach through the development of a cyber security strategy and formalising policies and structures to deal with a breach, not only guard their data, but also protect their reputation, avoid potential legal liability and reduce the potential for major business disruption and financial loss.

If you are a company director, there are a number of key questions to consider in relation to cyber security:

  • Where does cyber security fit within the company’s governance framework?
  • Does the company have a cyber security strategy?
  • Do all personnel understand that there is a cyber security strategy and their role in implementing it?
  • Is the strategy understood and led from the top?
  • Has the company’s cyber security strategy been tested as part of business continuity?
  • Has the company experienced any cyber security breaches in the past and what measures have been put in place as a result to protect against future breaches?
  • Do third parties pose any threat to the company’s cyber security?
  • How might a breach impact on the company’s reputation and what is the role of the board within that?

In answering these questions, directors should be aware that where there is a liability, there is a corresponding responsibility for that liability, and as the duties of directors and boards come under increasing scrutiny, it is in their interests to ensure that they have a full understanding of the cyber security risks facing their organisations and to put appropriate plans in place to address such risks.

Read the full results in the IoD and Mason Hayes & Curran research report, Cyber Security in the Boardroom.

By Maura Quinn, Chief Executive, Institute of Directors in Ireland.