A non-financial risk that every board of directors needs to consider and manage is that of cyber security. Historically, this has been considered to be the domain of the CIO or COO of an organisation. However, it is now climbing up the corporate agenda to become a main board corporate governance issue. In 2010 the risk of cyber-attack was elevated in the UK National Security Strategy to become a tier one threat to national security (alongside armed conflict, major terrorism and a major disaster of epidemic).

The Department for Business, Innovation & Skills (BIS) is currently working hard with GCHQ, MI5 and the Cabinet Office and other agencies to elevate awareness of, and preparation for, cyber-crime and industrial espionage within the corporate sector. Having been alerted to the same, it is vital that you assess your corporate risk in relation to cyber security issues, both within your business and within your supply chain and understand the impact this has on your corporate insurances and the structure of your business.

Back in 2012 GCHQ identified ten steps each business should take to reduce its cyber risk. These ten steps reflect the simple fact that basic information risk management can prevent the vast majority of cyber-attacks, freeing up companies to concentrate on managing the impact of the, more difficult, minority.

More recently, the Institute of Chartered Secretaries and Administrators (ICSA), with the assistance of BIS and others, issued guidance for boards on managing cyber risk in June 2013 ( see our July 2013 update1, and in January 2014 the ICAEW, with the assistance of, among others, the Law Society, the Takeover Panel and the LSE, published a guide on cyber security in the context of corporate finance transactions.2

The ten steps identified by GCHQ

  1. Adhere to a home and mobile working policy
  2. Increase education and awareness of cyber risks
  3. Implement effective incident management and disaster recovery processes
  4. Establish effective structures to reflect your information risk appetite
  5. Manage user privileges appropriately
  6. Control removable media
  7. Put in place effective monitoring
  8. Securely configure all ICT systems on a standardised basis
  9. Maintain malware protections and scanning
  10. Protect your network

Directors and company secretaries are encouraged to read and consider in full the Ten Steps to Cyber Security document2 prepared by GCHQ, as well as the ICSA ICAEW guides, and to consider at both full board and audit or risk committee level how these ten steps should be incorporated into the business. A board which fails to do this risks dangerously exposing its own business and those of its supplies and customers.

Footnotes

1 The ICSA guidance on cyber risk is available at https://www.icsa.org.uk/assets/files/Guidance%20notes/gn06-2013cyberrisk.pdf.

2 The ICAEW guide 'Cyber-Security in Corporate Finance' is available at http://www.icaew.com/~/media/Files/Technical/Corporate-finance/Corporate-finance-faculty/tecpln12526-cyber-web.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.