Directors have a new risk to take into account when drafting and/or reviewing their company's risk policies and procedures: cyber security risk. Cyber security risk may have reputational as well as financial impact on a company and it is a risk which is constantly evolving. Accordingly, regular security assessments, the encryption of data and installing a firewall have become a must for today's corporate entities in order for these to protect their clients and their data.
IOSCO's Research Department defines cyber crime as "a harmful activity, executed by one group or individual through computers, IT systems and/or the internet and targeting the computers, IT infrastructure and internet presence of another entity."
In our technological cross-border society, cyber security risk is a threat which is faced by all companies. Regulated companies are also being encouraged to ensure that they are prepared against cyber security risk, particularly as various regulators around the world are now focusing on the proper implementation and operation of cyber security policies and procedures.
The Board of Directors of every company has an important role to ensure a company's preparedness against cyber security risk. Cyber attacks may be targeted against the company's name and reputation, (disturbance to consumer-facing services), assets of the company (client data and intellectual property) and the company's technological systems, forcing these to shut down. Directors must ensure that their company has proper internal controls in place to mitigate cyber security attacks. Accordingly, the company's cyber security risk management policy is a document which all directors should be asking to review and discuss at the next board meeting and regularly thereafter.
Directors should focus on:
- Oversight: what steps is the company taking against cyber security threats;
- Governance: how robust are the company's cyber security procedures;
- Being one step ahead: by testing the company's cyber security systems and procedures and by continuously reviewing and updating the same.
Directors should conduct periodic assessments of:
- the information that the company collects and holds;
- how this is used and how it is stored;
- the cyber security threats to and the weak points of the company's IT systems;
- the impact should these systems become compromised and how the company tries to prevent this.
Directors must understand that cyber security is not simply an IT issue. It is an issue which affects the company as a whole and the board must ensure, possibly also with the help of independent security professionals, that the company is properly addressing all risks which may arise from cyber security.
In the case of companies that outsource their IT requirements or use cloud computing, cyber security risk is particularly important and here directors must ensure that they review and oversee the cyber security policies and systems of their service providers.
As companies seek to adjust to the new threats which arise from cyber security risk, the Board of Directors should rely on a tried and tested approach and set the tone at the top, creating awareness that cyber security risk is a risk faced by the company as a whole and that all employees, senior management and the directors should work together to ensure that the company's assets are protected against cyber attacks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
